优惠券查询·场景快取
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears to locally match coupon requests to a bundled list of promotional links, with no evidence of credential access, persistence, or hidden code behavior.
This skill looks safe for normal coupon lookup, but treat returned coupon, short, and deep links as third-party promotional links and verify the destination before opening or submitting information.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The user may be directed to third-party promotional or app links that can include tracking or affiliate parameters.
The skill is explicitly designed to return promotional links. This is purpose-aligned, but users may treat agent-provided coupon links as trusted and should still verify destinations before opening them.
智能匹配优惠活动,返回可直接使用的推广链接
Open links only if they match the expected merchant or platform, and avoid entering sensitive information on unfamiliar pages.
The skill may not work in environments without Node.js, and users should know it relies on a local script.
The documented workflow depends on running a local Node.js script, while the registry requirements declare no required binaries. This appears operational rather than malicious, but it is an under-declared dependency.
node skills/coupon-finder/scripts/find.mjs "<用户查询>" --limit=5
Declare Node.js as a requirement and keep the bundled script and data file reviewable.