What is this skill

This skill wraps kujiale_upload.py — a self-contained Python script that
validates the complete Kujiale OpenAPI 3D model upload pipeline in exactly 5 steps.
The script uses Python requests / oss2 only, and explicitly disables
environment-derived proxy / certificate overrides (trust_env=False) because
those settings can cause TLS handshake failures in some Windows environments:

Step	Method	Endpoint	Description
1	GET	INLINECODE4	Obtain OSS STS credentials + INLINECODE5
2

PUT | Alibaba OSS (oss2) | Upload ZIP bytes to OSS |
| 3 | POST | /v2/commodity/upload/create | Trigger server-side model parsing |
| 4 | GET | /v2/commodity/upload/status | Poll parse status until status == 3 |
| 5 | POST | /v2/commodity/upload/submit | Submit parsed model → returns brandGoodId |

Authentication: INLINECODE12

API Key: Apply at Manycore OpenAPI Console

---

Quick Start

CODEBLOCK0

---

Prerequisites and Scope

This skill is intended for users who already have:

• - A valid Kujiale OpenAPI appKey / appSecret — Apply at Manycore OpenAPI Console
• Permission to call the commodity model upload APIs in their Kujiale tenant
• A .zip package that matches Kujiale's 3D model import requirements
• Network access to openapi.kujiale.com and the OSS endpoint returned by Step 1

This repository does not include:

• - Any built-in credentials
• Any guarantee that the generated placeholder ZIP is a production-valid 3D model package
• Any tenant-specific category mapping beyond the sample defaults in INLINECODE17

The auto-generated ZIP is only for API connectivity and workflow smoke testing.

Configuration

Required credentials

You must supply your own Kujiale OpenAPI credentials. There are no built-in defaults.

Method	How to set
Environment variable (recommended)	INLINECODE18 / INLINECODE19
CLI flag

--app-key xxx --app-secret xxx |
| Programmatic dict | run_skill({"app_key": "xxx", "app_secret": "xxx"}) |

Priority: explicit CLI/dict value > environment variable

If credentials are missing, you will see:
CODEBLOCK1

All configuration parameters

Parameter	Env var / dict key	Default	Description
INLINECODE22	INLINECODE23	(required)	Kujiale OpenAPI appKey
INLINECODE24

KUJIALE_APP_SECRET | (required) | Kujiale OpenAPI appSecret | | zip_path | — | (auto-generated test ZIP) | Path to the ZIP file to upload | | poll_interval | — | 5.0 | Seconds between status polls | | poll_timeout | — | 300.0 | Max seconds to wait for parse completion | | dry_run | — | False | If True, skip all network calls and return mock data |

Transport behavior

• - Default path: API calls use requests; OSS upload uses INLINECODE35
• The script creates dedicated sessions with INLINECODE36
• This prevents inherited proxy / CA bundle environment settings from breaking TLS handshakes
• If you run this skill inside an agent or IDE that sandboxes outbound network access, the real upload path requires unrestricted network access to openapi.kujiale.com and the returned OSS endpoint. The script now reports this case explicitly and tells you to rerun with network permissions enabled.

Built-in Step 5 defaults

INLINECODE38 currently submits with these sample defaults:

• - INLINECODE39
• INLINECODE40

These values are not universal. They appear to be business defaults from the original implementation and may be wrong for another tenant or another catalog tree. If your account requires different category metadata, update the script before using the real submit step.

---

Usage

CLI

CODEBLOCK2

Programmatic (Python)

Import and call run_skill(params) directly:

CODEBLOCK3

---

Test / Run

What to expect on a successful run

CODEBLOCK4

Parse status codes (Step 4)

Status	Meaning
0	Generating
1

Parsing ZIP | | 2 | ZIP parse failed → raises RuntimeError | | 3 | ZIP parse success, ready to submit → proceed to Step 5 | | 4 | Submit success | | 5 | Submit task exception → raises RuntimeError |

Common failure modes

Error	Cause	Fix
INLINECODE42	No credentials configured	Set KUJIALE_APP_KEY / KUJIALE_APP_SECRET env vars, or pass via --app-key / INLINECODE46
INLINECODE47

Invalid appKey/appSecret | Check credentials on Kujiale open platform | | FAILED: ZIP file not found: ... | Invalid --zip path | Pass an existing local .zip file | | FAILED: ZIP file must end with .zip: ... | Wrong file type | Package the model as .zip before upload | | Step 4 poll timeout after 300s | Parse taking too long | Increase --poll-timeout | | Step 4 FAILED: status=2 | Invalid ZIP format | Ensure ZIP contains valid model files | | Step 1 request failed: ... / Step 5 request failed: ... | Network/API connectivity or a local environment override | Check firewall, VPN, DNS, and whether your shell injects custom proxy / CA env vars | | outbound network access appears to be blocked by the current runtime or sandbox | The tool is running in a restricted sandbox/agent session | Re-run the same command with unrestricted network access, or allow the agent/tool to escalate network permissions | | Step 2 OSS PUT failed: ... | OSS connectivity or STS issue | Check returned OSS region/bucket and network reachability |

---

Dependencies

CODEBLOCK5

Install:

CODEBLOCK6

---

Publishing Checklist

Before publishing externally, verify:

• - [ ] No real credentials in any tracked file — run:

  grep -rn "app_key\|app_secret" . --include="*.py" --include="*.json" --include="*.md" | grep -v ".env.example" | grep -v "YOUR_APP"
  

Confirm only placeholder / env-var references remain.

• - [ ] .env is not committed (keep it local only)
• [ ] .env.example is committed with placeholder values only
• [ ] Add .env to .gitignore in the repo that vendors this skill
• [ ] README / SKILL.md directs users to set KUJIALE_APP_KEY / INLINECODE65
• [ ] python kujiale_upload.py --dry-run succeeds on a clean machine
• [ ] python kujiale_upload.py without credentials fails with a single-line FAILED: message, not a traceback

---

Security Notes

• - Credentials are never logged. The script logs appKey (for traceability) but never logs appSecret or the computed sign.
• INLINECODE72 flows only through the in-memory _sign() function and is never serialised to disk or printed.
• STS tokens returned by Step 1 are temporary (short TTL) and scoped to a single upload — no long-lived secrets are stored.
• If you suspect your appKey/appSecret have been exposed, rotate them immediately on the Manycore OpenAPI Console.

---

File Tree

CODEBLOCK8