Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
全民返利助手
v0.1.0全平台返利查询与下单引导,覆盖淘宝、京东、拼多多等主流电商,一键查询商品返利比例并生成返利链接。
⭐ 0· 39·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to '对接各平台返利 API' and generate affiliate/cashback links for platforms (Taobao, JD, PDD, etc.). To do that in practice normally requires platform-specific affiliate API credentials or partner tokens. The metadata declares no required environment variables or credentials and no config paths, which is inconsistent with the stated purpose.
Instruction Scope
SKILL.md is high-level and vague: it lists features, triggers, and output format but contains no concrete runtime steps, API endpoints, or limits. Vague instructions give the agent broad discretion (e.g., web-scraping, prompting the user for credentials, or calling external services) without constraints or declared data flows.
Install Mechanism
There is no install spec and no code files (instruction-only). That minimizes on-disk execution risk because nothing is downloaded or installed by the skill itself.
Credentials
No environment variables or primary credentials are declared, despite the need for affiliate/API credentials to implement the promised features. This mismatch could lead the agent to request sensitive credentials ad hoc or attempt unauthorized scraping; required secrets are not enumerated or scoped.
Persistence & Privilege
always is false and the skill does not request elevated or persistent platform privileges. Autonomous invocation is allowed (platform default) but is not combined here with other high-privilege requests.
What to consider before installing
This skill claims to query multiple e-commerce affiliate APIs and generate cashback links but provides no implementation details or declared credentials. Before installing or using it, ask the author: which affiliate APIs/endpoints are used, exactly what environment variables or tokens are required, and how credentials are stored/used. Be cautious about providing any platform account credentials or API keys unless the skill explicitly documents the minimal required scopes and where data is sent. Prefer skills that list required env vars (e.g., 淘宝联盟 appkey/appsecret, 京东联盟 token) and show safe usage examples; avoid entering passwords or long-lived tokens into an unverified skill.Like a lobster shell, security has layers — review code before you run it.
latestvk97er8zjfbrwac0nrs64f0z5hn83pdsg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.