ClawHub

美团优惠券自动领取

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only Meituan coupon helper that openly automates coupon claiming, with some consent and scheduling caveats users should understand.

Install only if you want OpenClaw to control a browser session for Meituan coupon claiming. Make sure the browser is logged into the intended account, treat the clicks as real account actions, and enable the daily schedule only if you deliberately want recurring automation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger phrase "查看优惠券" is broad enough to match ordinary user intent to merely inspect coupons, yet this skill’s primary behavior performs browser automation to claim coupons and may also encourage downstream persistent automation. That creates a risk of unintended execution of account-affecting actions from a benign informational request.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list mixes immediate execution with scheduling behavior, including phrases like "设置每日自动领取", without a strong confirmation boundary. If matched loosely, a user could accidentally enable recurring automated actions on their account when they only intended to ask about options or capabilities.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill includes a cron-based recurring task that automates coupon claiming but does not present a clear user-facing warning about persistence, frequency, or how to disable it. Persistent automation on a logged-in commerce account increases the chance of unintended repeated actions, user confusion, and abuse if triggered without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal