Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
抖音返利管家
v0.1.0抖音电商返利订单管理工具,追踪精选联盟佣金结算状态,统计抖音购物省钱数据,管理抖音优惠券。
⭐ 0· 33·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to 'sync精选联盟返利订单' and track commission settlement lifecycle. However, there are no declared environment variables, no required binaries, no install steps, and no instructions on how to access Douyin/精选联盟 APIs or data. To perform the stated functionality one would normally need API credentials, cookies, or a scraping mechanism — none are documented. This is an incoherence: the claimed capabilities are not supported by the manifest.
Instruction Scope
SKILL.md is largely a feature plan and output format (reports) and does not include runtime commands, file/path references, or specific external endpoints. That reduces immediate risk of unexpected file/credential reads, but the instructions are vague and open-ended (a 'plan' rather than operational steps). Vague instructions can lead an agent to ask the user for sensitive data (e.g., login cookies, credentials) or attempt ad-hoc web access without clear limits.
Install Mechanism
No install spec and no code files are present. This is the lowest-risk delivery: nothing will be automatically written to disk or executed by an install step.
Credentials
The skill requests no environment variables or credentials. Practically, the described functionality (order sync, commission tracking, coupon management) would require access credentials or user session data for Douyin/精选联盟. The absence of declared credentials is a mismatch — either the skill is incomplete or it expects the agent to obtain credentials at runtime (which should be explicitly stated).
Persistence & Privilege
always is false and the skill is user-invocable with normal autonomous invocation allowed. There is no request to persistently modify other skills or global agent settings. This is a typical and acceptable privilege posture.
What to consider before installing
This skill reads like a product spec rather than an implemented connector. Before installing or using it: 1) Ask the developer for concrete runtime details — which APIs/endpoints will be called, what credentials are required (and why), and how sensitive data is stored/used. 2) Do not provide Douyin/精选联盟 credentials, cookies, or other secrets until you have a clear privacy/security policy and an implementation you trust. 3) Prefer testing in a sandbox account with limited permissions. 4) If the skill later requests credentials or suggests web-scraping your account, treat that as higher risk and require an explicit justification and secure handling (encrypted storage, least privilege).Like a lobster shell, security has layers — review code before you run it.
latestvk974nmvbdgf0gjn32bev9v27qd83r32c
License
MIT-0
Free to use, modify, and redistribute. No attribution required.