ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

🛍️ 淘宝/京东/拼多多比价技能

v1.0.3

商品价格全网对比技能,获取商品在淘宝(Taobao)、天猫(TMall)、京东(JD.com)、拼多多(PinDuoDuo)、抖音(Douyin)、快手(KaiShou)的最优价格、优惠券,当用户想购物或者获取优惠信息时使用。Get the best price, coupons for goods on Chi...

12· 3.5k·45 current·49 all-time
byAlone@al-one
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code: the script queries maishou88.com endpoints for search and detail data for Chinese e‑commerce platforms. Requiring a CLI runner 'uv' to invoke the Python script is coherent.
!
Instruction Scope
SKILL.md states the script "will not read/write local files" and only request data from maishou88.com; the code does not perform file I/O but it does read an environment variable MAISHOU_INVITE_CODE (used as an affiliate/invite code) which is not documented in requires.env. The instructions claim no env vars are needed, so the code accessing an env var is an undocumented side-effect.
Install Mechanism
Install metadata includes brew formula 'uv' and pip fallbacks for 'uv', aiohttp, argparse, PyYAML. Requiring 'uv' to run the script is reasonable, but the pip 'argparse' entry is unnecessary (argparse is in the Python stdlib) and the pip 'uv' package/name is ambiguous; verify these packages/formulae before installing. No downloads from arbitrary URLs or extract steps are present.
!
Credentials
The skill declares no required env vars but the code reads MAISHOU_INVITE_CODE and falls back to a hardcoded invite code. This is a minor inconsistency: the env var could be used for affiliate tracking and is not a secret credential, but the agent will access that environment variable if present. No other credentials or secrets are requested.
Persistence & Privilege
Skill is not always-enabled, does not request persistent system privileges, and does not modify other skills or system-wide settings.
What to consider before installing
This skill is largely coherent with its description: it queries maishou88.com for price and coupon info and prints results. Before installing, consider: (1) the script reads MAISHOU_INVITE_CODE (not documented) — if you have a sensitive value in that env var, it could be used in requests; leave it unset if you don't want affiliate tracking. (2) Verify the 'uv' install sources (brew formula and any pip package named 'uv') to ensure you're installing the intended runner. (3) The skill makes network requests only to maishou88 API hosts — confirm you trust that service and its privacy practices. (4) Prefer running the script in an isolated environment (container/VM) if you're unsure. If you want stronger assurance, ask the publisher for: explicit documentation of MAISHOU_INVITE_CODE, clarification of the 'uv' package/formula names, and verification that no other endpoints are contacted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cz5gj15wq66srw5jcxn72kx8313y1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛍️ Clawdis
Binsuv

Install

Install uv (brew)
Bins: uv
brew install uv

Comments