Is lazygunner/taobao-image-search safe?
https://github.com/openclaw/skills/tree/main/skills/lazygunner/taobao-image-search
taobao-image-search is a legitimate Taobao shopping automation skill using Playwright browser automation for image-based product search and cart operations. No prompt injection, malicious code execution, or data exfiltration to external endpoints was detected; canary integrity was maintained throughout. Primary concerns are operational rather than malicious: Taobao authentication cookies and a full browser profile are persisted to predictable disk locations accessible to co-installed skills, scripts are hardcoded to a macOS Homebrew Playwright path making them non-portable, and the automated add-to-cart flow operates without per-item user confirmation.
Category Scores
Findings (8)
MEDIUM Hardcoded macOS-specific Playwright require path -15 ▶
Both scripts use require('/opt/homebrew/lib/node_modules/playwright') — an absolute path tied to macOS Homebrew. This will throw MODULE_NOT_FOUND on Linux/Windows, meaning the scripts only function on a specific macOS setup. While not inherently malicious, it indicates the skill was written for a specific environment without portability guards.
MEDIUM Taobao authentication cookies persisted to predictable disk location -12 ▶
save-taobao-cookie.js writes full browser storage state (including Taobao session cookies) to verification-artifacts/taobao-storage-state.json. It also creates a persistent Chromium user data directory at .pw-user-data-taobao/ which accumulates cache, IndexedDB, history, and form autofill data beyond just cookies. These files persist after the skill completes and are readable by any co-installed skill or process with filesystem access.
MEDIUM Automated add-to-cart without per-item user confirmation -15 ▶
verify-taobao-runner.js autonomously selects the 'most similar' product from search results and clicks add-to-cart, selecting default SKU options if needed. While SKILL.md prohibits purchase/payment, silently adding items to a user's live cart based on AI similarity scoring could result in unintended cart changes the user may not notice.
LOW page.evaluate() exposes automation to Taobao-controlled JavaScript context -10 ▶
The runner uses page.evaluate() in multiple places (candidate extraction from search results, cart item verification) to run JavaScript inside the Taobao browser context. If Taobao's page injects adversarial content targeting Playwright automation (unlikely but theoretically possible), it could affect execution flow.
LOW Persistent browser profile stores more than necessary authentication data -10 ▶
launchPersistentContext creates a full Chromium user data directory rather than an isolated ephemeral context, accumulating browsing history, cached responses, and other browser state beyond the authentication tokens needed. storageState() would have been sufficient for the stated goal of cookie persistence.
INFO Skill requests broad tool permissions (bash, browser, filesystem) -7 ▶
SKILL.md instructs the agent to execute shell commands (node ..., ls), use browser automation tools, and read local files (image paths). All permissions align with stated functionality. No permissions are requested beyond what image search and cart automation require.
INFO Clean installation — only expected GitHub traffic observed 0 ▶
Git clone connected only to 140.82.121.4:443 (GitHub). Ubuntu package update connections pre-existed and were not initiated by the install. Connection diff shows no persistent new connections after install. No unexpected process execution during clone phase.
INFO Canary file accesses are attributable to Oathe monitoring system, not skill 0 ▶
OPEN/ACCESS events on .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials appear at timestamps 1771940958 (before git clone at 1771940963) and 1771940975 (post-install sweep). These are the monitoring system's canary baseline and integrity checks, not the skill code.