Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Fanli
v4.1.0将商品链接或淘口令转为带优惠券的推广链接,跨平台比价(淘宝/天猫/京东/拼多多/抖音/唯品会/美团), 查询历史价格走势并给出购买建议。当用户发来商品链接、淘口令,或提到"转链"、"比价"、"历史价"、 "全网最低价"、"有没有优惠券"、"值不值得买"、"价格走势"、"优惠"、"便宜"、"划算"、"打折"、 "降...
⭐ 0· 115·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the included scripts: convert and compare-price take product links/淘口令 and call an external service to return product info, comparisons, and history. The single required env var (FX_AI_API_KEY) is consistent with the fenxiang-ai API described in the SKILL.md.
Instruction Scope
SKILL.md and the scripts explicitly send user-provided product links to https://api-ai-brain.fenxianglife.com and require reading ../fx-base/SKILL.md. The skill instructs the agent to run local Node scripts which import fx-base's fx-api.mjs; those child processes inherit the full environment. Because fx-base is an external dependency not bundled here, its code (fx-api.mjs) will run with the agent's environment and could add network calls or leak additional data. The SKILL.md does warn the user to 'trust that service', but relying on an external skill's code increases attack surface and warrants inspection before use.
Install Mechanism
No install spec; this is an instruction-plus-scripts skill and does not download or extract remote archives during installation. Scripts are local files (mjs) and use only Node.js built-ins. This is lower-risk than arbitrary downloads, but runtime network calls are present.
Credentials
Only FX_AI_API_KEY is declared as required and is appropriate for an API-backed price/convert service. However, run.mjs spawns child processes with env: process.env, so any other environment variables in the agent's environment could be visible to child processes and (depending on fx-base/fx-api.mjs implementation) could be sent to remote endpoints. Also README lists Python and curl (contradicting SKILL.md's Node.js 18+ requirement) which is an inconsistency to be aware of.
Persistence & Privilege
always is false and the skill does not request system-wide config changes. It reads files in ../fx-base and its own baseDir, but does not modify other skills or system settings. Autonomous invocation is allowed by default but not combined with 'always: true'.
What to consider before installing
This skill appears to do what it claims, but it depends on an external shared skill (fx-base) and on the fenxianglife API. Before installing/use: 1) Inspect the fx-base package (especially fx-base/scripts/fx-api.mjs) — that code will run with your environment and could exfiltrate secrets. 2) Only provide a FX_AI_API_KEY you trust and consider using a scoped or revocable key; avoid putting sensitive credentials into your global shell if you plan to run this in production. 3) Confirm you trust https://api-ai-brain.fenxianglife.com for sending user-provided product links. 4) Note the README inconsistency (mentions Python/curl) — ensure you use Node.js 18+ as SKILL.md requires. 5) If you can't or won't inspect fx-base, run this skill in an isolated environment (container or VM) to limit potential exposure. If you want, I can list the exact checks to perform in fx-base/scripts/fx-api.mjs to look for risky behavior (environment access, reading other files, or additional network calls).scripts/run.mjs:31
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk976f5smzjwfenvb8n5adnrayh8448w0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
EnvFX_AI_API_KEY
Primary envFX_AI_API_KEY