Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
直播返利助手
v0.1.0直播间购物返利优化工具,追踪各平台热门直播间的商品返利信息,帮助用户在直播购物中获得额外返利。
⭐ 0· 39·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The description promises cross‑platform rebate tracking and '生成返利链接下单' (generate rebate links for ordering). Those capabilities normally require platform‑specific affiliate credentials (Taobao/Alibaba, Douyin, Kuaishou, JD, 微信视频号) or an integration mechanism; the skill declares no required env vars, credentials, APIs, or install steps. That is internally inconsistent: either the skill cannot actually perform the claimed actions, or it expects to obtain sensitive credentials at runtime without declaring them.
Instruction Scope
SKILL.md is high level and does not specify how to obtain rebate data, which endpoints/APIs to call, or how links are generated. Phrases like '查询返利比例' and '生成返利链接下单' are vague and grant broad discretion to the agent (e.g., scraping pages, asking for cookies/credentials, or contacting external services). There are no explicit instructions limiting what data to read, store, or transmit.
Install Mechanism
No install spec and no code files — lowest install risk (nothing written to disk by an installer). The skill is instruction‑only, so there is no packaged binary or third‑party download to evaluate.
Credentials
The skill requests no environment variables or credentials, yet its stated features (affiliate link generation, multi‑platform tracking) typically require affiliate IDs, API keys, or access to user session cookies. The absence of declared credentials is disproportionate to the claimed functionality and could mean the agent will request sensitive info at runtime or attempt scraping.
Persistence & Privilege
always:false and no install means the skill does not request permanent presence or elevated platform privileges. It does not declare any modifications to other skills or agent-wide settings.
What to consider before installing
This skill's README promises cross‑platform rebate tracking and automatic rebate link generation but provides no technical details (no API endpoints, no affiliate credentials, no install). Before installing or using it, ask the developer to clarify: (1) exactly which APIs or affiliate programs it integrates with, (2) what credentials/tokens are required and whether they will be stored, (3) how rebate links are generated, (4) what data is collected, transmitted, or stored and where, and (5) whether the skill will ask you to paste session cookies or account tokens. Do not paste account credentials, cookies, or API keys into the chat unless you fully trust the developer and understand how they are used and stored. If the developer cannot provide clear answers, treat the skill as unsafe for sensitive accounts; prefer official affiliate tools or documented APIs instead.Like a lobster shell, security has layers — review code before you run it.
latestvk977pxxk6dpnydq6fdy5jwy68183qz5k
License
MIT-0
Free to use, modify, and redistribute. No attribution required.