Fanli
Security checks across malware telemetry and agentic risk
Overview
This shopping coupon and price-check skill mostly matches its purpose, but its command runner is broader than needed and could execute reachable local .mjs files outside the intended skill scripts.
Before installing, make sure you trust the feima-lab/fenxianglife service and the separate fx-base dependency. Do not share sensitive shopping links or API keys. The publisher should tighten run.mjs so it can only call the intended convert and compare-price scripts.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or manipulated invocation could cause the agent to run local JavaScript that is not part of this shopping skill, potentially with access to environment variables such as the API key.
The script name comes from command arguments and is not restricted to a fixed allow-list; path segments such as '../' could make the runner execute an existing .mjs file outside the intended scripts directory, using the current environment.
const mjsFile = join(_scriptDir, `${name}.mjs`); ... await runScript(mjsFile, args.slice(2)); ... spawn(process.execPath, [scriptPath, ...args], {Restrict callable interfaces to a hardcoded allow-list such as convert and compare-price, reject path separators and '..', and verify real paths remain inside the skill's scripts directory.
The safety of API-key handling and network requests partly depends on the separate fx-base skill.
Core authentication and API-posting behavior is delegated to a sibling fx-base package that is not included in the reviewed file manifest.
const _fxApiPath = join(_scriptDir, '../../fx-base/scripts/fx-api.mjs'); ... const { fxCheckAuth, fxPost } = await import(_fxApiPath);Install fx-base only from a trusted source and review or pin the exact version used for API authentication.
Anyone who can read or misuse this environment variable may be able to access the associated feima-lab API account.
The skill requires a provider API key, which is expected for this integration and is disclosed in the skill metadata.
requires:
env:
- FX_AI_API_KEY
primaryEnv: FX_AI_API_KEYUse a dedicated, revocable API key and avoid exposing it in logs, shared terminals, or screenshots.
Product links, shopping tokens, and related query data may be processed by the external service.
The skill clearly discloses that user-provided shopping links are sent to an external provider for parsing.
用户提供的商品链接会被发送到 `https://api-ai-brain.fenxianglife.com` 进行解析
Only submit links you are comfortable sharing with the provider, and review the provider's privacy practices if the links contain personal or account-specific tokens.