Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Daily Hot Deals
v1.0.1每日神价推送服务,自动聚合全网优惠,生成精简报告。适合忙碌的省钱达人、副业套利者。
⭐ 0· 65·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The README and description promise full-site aggregation (淘宝/京东/拼多多/1688), profit/arbitrage calculations, scheduled pushes, and WeChat delivery. The included Python tool only returns hard-coded demo deals and formats them to stdout; there is no scraping, API clients, authentication, or monetization/scheduling code. This is a clear mismatch between claimed capabilities and the actual implementation.
Instruction Scope
SKILL.md contains user-facing commands like "订阅每日神价推送,发送到我的微信" and scheduling expectations (每日 8:00/20:00), but it does not provide runtime instructions for how to perform scheduling or send messages, nor does it call any external services. The instructions are open-ended and rely on the agent having external integrations/credentials that are not declared, giving the agent broad discretion without explicit boundaries.
Install Mechanism
No install spec is provided (instruction-only with one Python tool). The only declared binary requirement is python3. No packages are downloaded or extracted, and no suspicious install URLs are present.
Credentials
The skill declares no required environment variables or credentials, but the documented features (WeChat delivery, e‑commerce APIs, scheduling, paid tiers) would normally require API keys, messaging tokens, or server infrastructure. The absence of declared credentials is inconsistent: either the skill is a purely local demo (as code suggests) or it omits required secrets and will try to access messaging/services via unspecified means at runtime.
Persistence & Privilege
The skill does not request always:true and has no OS restrictions; it does not modify other skills. Autonomous invocation is enabled by default (normal). There is no evidence the skill persists credentials or makes itself always-included.
What to consider before installing
This package appears to be a demo: it prints a mocked deals report locally but does not implement web scraping, API integrations, scheduling, or message delivery (e.g., to WeChat) that the description promises. Before installing or relying on it: 1) Ask the maintainer how live aggregation, scheduling, and messaging are implemented and what credentials (WeChat API keys, e‑commerce API access, proxy credentials) will be required; 2) Require explicit declarations of any env vars or external endpoints the skill will call; 3) If you need real push delivery, insist on secure handling of tokens and review network/call sites in code; 4) Treat the current code as safe but non-functional for the advertised features — do not use it for paid/production workflows until those capabilities are implemented and audited; 5) If you allow the agent to integrate with your messaging, provide credentials only in a limited/test account and audit outgoing traffic.Like a lobster shell, security has layers — review code before you run it.
latestvk970jnwpsy8vdfw9rk27333cds83r9zv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📦 Clawdis
Binspython3