← 返回 Skills 市场
日本雅虎拍卖估价
作者
HiddenPuppy
· GitHub ↗
· v1.0.3
1035
总下载
1
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install yahoo-auction-estimator
功能描述
日本雅虎拍卖商品估价工具 - 自动获取商品信息、查询历史成交价、计算建议出价
安全使用建议
This skill appears to do what it claims: it scrapes Yahoo Auctions and aucfree using curl invoked from a Node script, and asks you to set PROXY_SOCKS5 so requests appear to come from Japan. Before installing or running: (1) only set PROXY_SOCKS5 to a proxy you trust (a malicious proxy URL could intercept traffic or, because the proxy string is interpolated into a shell command, could be abused if you set an unexpected value); (2) run the script in an isolated environment or container if you are concerned about network scraping; (3) verify you are comfortable with outbound network access to auctions.yahoo.co.jp and aucfree.com; (4) if you will pass untrusted IDs or environment values, consider reviewing or sanitizing inputs to avoid command-injection risks. Overall the skill is internally consistent and proportionate to its stated purpose.
功能分析
Type: OpenClaw Skill
Name: yahoo-auction-estimator
Version: 1.0.3
The skill is classified as suspicious due to a critical shell injection vulnerability in `scripts/estimate.mjs`. User-provided auction IDs from `process.argv` are directly interpolated into a URL string, which is then passed to `execSync` within a `curl` command without proper shell escaping. This allows an attacker to execute arbitrary commands on the host system by crafting a malicious auction ID (e.g., `b1220553804; rm -rf /`). While the skill's stated purpose and network calls to Yahoo Auctions and aucfree.com appear legitimate, the lack of input sanitization for `execSync` constitutes a severe security flaw.
能力评估
Purpose & Capability
Name/description say: fetch Yahoo! Auctions and historical prices and compute suggested bids. Declared requirements (node, curl) and the single env var PROXY_SOCKS5 are consistent with needing outbound HTTP(S) access via a Japanese proxy to reach the data sources.
Instruction Scope
SKILL.md explicitly instructs running the provided Node script and setting PROXY_SOCKS5; the script only reads that env var and performs HTTP fetches of auctions and aucfree pages. The script uses child_process.execSync to call curl — expected for this type of scraper, but this is an execution-time surface to be aware of (see guidance).
Install Mechanism
No install spec or remote downloads. This is instruction-only plus a local script (estimate.mjs). Nothing is fetched or written during install, so install risk is low.
Credentials
Only PROXY_SOCKS5 is required and declared as primaryEnv. That aligns with the stated need to route requests through a Japan-based SOCKS5 proxy. No unrelated credentials or extra env vars are requested.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges or modify other skills or configs. It runs on invocation and does not attempt to persist or escalate privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install yahoo-auction-estimator - 安装完成后,直接呼叫该 Skill 的名称或使用
/yahoo-auction-estimator触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.3
使用代理上传 v1.0.3
v1.0.2
通过代理上传
v1.0.1
修复版本号,重新上传
v1.0.0
初始版本:支持雅虎拍卖商品自动估价
元数据
常见问题
日本雅虎拍卖估价 是什么?
日本雅虎拍卖商品估价工具 - 自动获取商品信息、查询历史成交价、计算建议出价. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1035 次。
如何安装 日本雅虎拍卖估价?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install yahoo-auction-estimator」即可一键安装,无需额外配置。
日本雅虎拍卖估价 是免费的吗?
是的,日本雅虎拍卖估价 完全免费(开源免费),可自由下载、安装和使用。
日本雅虎拍卖估价 支持哪些平台?
日本雅虎拍卖估价 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 日本雅虎拍卖估价?
由 HiddenPuppy(@hiddenpuppy)开发并维护,当前版本 v1.0.3。
推荐 Skills