闲鱼数据抓取

闲鱼数据抓取技能。使用 Playwright + OCR 技术突破反爬虫，抓取闲鱼商品数据（标题、价格、想要人数等），自动上传截图和数据到 Gitee 仓库。支持批量关键词搜索、竞品分析、市场调研。

Key things to consider before installing or running this skill: - Credentials: The skill asks for a Gitee personal access token and (optionally) a site login cookie. Only provide a token with the minimal scopes required (projects/repo write) and consider creating a dedicated repository/account for uploads. Avoid providing long-lived credentials you use elsewhere. - Inspect install scripts: Do not run curl | bash on an untrusted URL. Inspect install.sh, uploader.sh and cron-setup.sh locally before executing. The included install.sh will install system packages, pip/npm modules and attempt to add cron jobs—these require elevated privileges and change system state. - Cron/persistence: The skill's installer will (by default) add scheduled tasks that run scraping and uploads automatically. If you do not want autonomous recurring scraping, do not install the crontab entries or remove them after install. - Private data and file permissions: The docs claim token/cookie are stored with 600 permissions, but the install script does not enforce this. After creating the config file, set permissions (chmod 600 ~/.openclaw/workspace/.xianyu-grabber-config.json) and consider restricting who can read the workspace directory. - Upload destination: The uploader will push screenshots and data to a Gitee repo. Confirm the uploader.sh targets your intended repo/owner and that you trust that destination. If you prefer not to upload, leave uploadToGitee=false or avoid supplying a token. - Run in isolation for first test: If possible, run the skill in a disposable VM or container so you can observe network activity, filesystem changes, and cron modifications before trusting it on a production host. - Review truncated/omitted files: The repository included many scripts; some files were truncated in the review. Inspect any additional scripts (uploader.sh, run.sh, update.sh) for unexpected network endpoints, hardcoded URLs, or behaviour before full deployment. If you want, I can: (a) summarize the contents of uploader.sh/run.sh/update.sh and any omitted files to check for hidden endpoints or unexpected behavior; (b) show the exact crontab entries and recommend safer alternatives; or (c) suggest a minimal manual installation checklist to reduce risk.

Type: OpenClaw Skill Name: xianyu-data-grabber Version: 1.0.0 The skill bundle implements a complex data scraping and reporting tool with several high-risk behaviors. Most notably, 'update.sh' provides a remote code execution mechanism by downloading and overwriting local scripts with code from a Gitee repository. Additionally, 'install.sh' and 'cron-setup.sh' perform system-level modifications, including installing packages via apt-get/yum and establishing persistence through crontab entries. The skill also requires sensitive credentials (GITEE_TOKEN and XIANFU_COOKIE), which are stored in a local JSON file and used in potentially insecure ways, such as embedding the token in a Git URL within 'uploader.sh'. While these features support the stated purpose of an automated scraper, the combination of remote updates, persistence, and high-privilege requirements constitutes a significant security risk.