ClawHub
Back to skill
v0.1.10

Rakuten Shop Analysis

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:07 AM.

Analysis

This skill is a coherent Rakuten shop-analysis helper that sends the user-provided shop URL or shopCode to a disclosed hosted backend and does not show credential use, persistence, or unrelated local access.

GuidanceThis skill looks purpose-aligned and lightweight. Before installing, make sure you are comfortable sending the Rakuten shop URL or shopCode you type to https://rakuten.845817074.xyz, and avoid adding unrelated confidential information to the request.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceMediumStatusNote
metadata
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.

The package includes runnable Node scripts, but registry source/homepage and install metadata are sparse; this is not suspicious by itself, but it is a provenance detail users may want to verify.

User impactUsers have less registry-level provenance information about where the skill package and hosted service come from.
RecommendationPrefer installing from a trusted registry or the repository identified by the publisher, and confirm the backend domain matches the documented one.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
这个 skill 会把你提供的店铺链接或 `shopCode` 发送到托管后端进行分析

The skill discloses that the user-provided shop identifier is sent to an external hosted backend; this is purpose-aligned, but users should know the input leaves the local environment.

User impactThe Rakuten shop link or shopCode you provide will be sent to the operator's backend service for analysis.
RecommendationUse it only for shop identifiers you are comfortable sharing with the hosted service, and avoid including unrelated private information in the input.