Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
花生日记返利助手
v0.1.0花生日记社交电商返利工具,以淘宝/天猫为核心,提供优惠券查找、返利查询和邀请制分级返利管理。
⭐ 0· 33·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's description promises deep integration with 淘宝/天猫 (hidden coupon lookup, order commission tracking, team/invite management). Those capabilities normally require API credentials (e.g., 淘宝联盟/开放平台 appKey/appSecret or explicit user auth) and concrete API endpoints or scraping logic. The SKILL.md lists planned features but does not declare any required environment variables, auth, or how the agent should access user/order data — this mismatch suggests the manifest is incomplete or underspecified.
Instruction Scope
SKILL.md is a high-level feature plan rather than runtime instructions. It does not specify calls to particular APIs, authentication flows, file or path access, or data handling. Because it's open-ended, an agent using this skill could ask the user for credentials or be given wide discretion to scrape websites or otherwise collect user data — the instructions do not constrain those choices.
Install Mechanism
There is no install spec and no code files. That limits the immediate risk from automatic downloads or arbitrary code execution. Instruction-only skills have lower disk/execution footprint, but the lack of implementation details is what raises concern here rather than the install mechanism itself.
Credentials
No environment variables or primary credentials are declared, yet the stated features (affiliate API access, order/commission queries, team management) normally require credentials and possibly access to user accounts. The absence of any declared credential requirements is disproportionate and unexplained.
Persistence & Privilege
The skill does not request always:true and has no install steps that would persist code or modify agent/system-wide configs. It is user-invocable and can be invoked autonomously per platform defaults — this by itself is not an elevated privilege in this manifest.
What to consider before installing
This skill looks like a feature plan, not a runnable integration. Before installing or using it, ask the author for concrete implementation details: which Taobao/淘系 APIs will be used, what exact credentials are required (e.g., 淘宝联盟/开放平台 appKey/appSecret or OAuth), how orders and user data are accessed and stored, and whether any third-party endpoints will receive user data or generated promotional materials. Do not share your Taobao/Tmall account credentials directly; prefer OAuth or official API tokens with limited scope. Also prefer skills with a verifiable source/homepage or repository and clear privacy/data-retention policies. If the author cannot provide concrete API endpoints, required env vars, or a source repo, treat the skill as incomplete and avoid granting access to sensitive accounts or secrets.Like a lobster shell, security has layers — review code before you run it.
latestvk970k2dd9wvwq8z4k07nhrmq2x83r6q1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.