anjuke-skill
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill’s purpose is coherent, but it asks to store account and identity secrets in skill files and can publish or edit real-estate listings without clear approval checkpoints.
Review carefully before installing. Only use this skill if you are comfortable giving it access to an Anjuke business account and allowing it to affect public listings. Avoid storing passwords or identity details in skill files, use a dedicated low-privilege account if possible, and require manual confirmation before any publish, edit, promotion, or verification action.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could publish or modify listings on the user’s Anjuke account in ways that affect business operations, public advertising, or compliance.
The instructions authorize browser-based publishing and editing of real-estate listings based on automated conditions, but do not require an explicit final user review or approval before those business/public-content changes.
如果剩余端口数量>0 ,则进行步骤4 ... 调用子技能`publish_house`进行房源发布 ... 点击该房源的“编辑”按钮 ... 调用子技能`optimize_description`
Require an explicit confirmation step before every listing publication, description update, promotion, or verification action; show the exact changes and target listing before submission.
Installing or using the skill may give the agent durable access to the user’s Anjuke business account, including authority to perform account actions later.
The skill asks for Anjuke login credentials and instructs the agent to store them in a skill document, despite the registry declaring no primary credential requirement.
请告诉我您的安居客账号(手机号)... 请告诉我您的安居客密码 ... 请你将这两个信息更新到子技能文档`login_your_account`里面
Use a secure credential manager or one-time login flow instead of writing passwords into skill files, and clearly declare the credential requirement in metadata.
Sensitive identity fragments and login-related data could remain in local skill context and be reused or exposed in later agent tasks.
The login subskill persists personal identity-verification data inside the skill document for reuse across future sessions, without secure storage, retention limits, or user-controlled deletion.
请告诉我您的姓名 ... 请告诉我您的身份证号后6位 ... 请你将这两个信息更新到当前技能文档里,下次登录时直接使用
Do not persist identity-verification details in skill documents; request them only when needed, store them securely if absolutely required, and provide clear deletion controls.