Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
慢慢买比价助手
v0.1.0慢慢买历史价格查询与比价工具,提供商品全网历史价格走势图、真假促销识别和购买时机建议。
⭐ 0· 33·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims historical price charts, cross-platform comparison, fake-promotion detection, and automatic price-drop reminders. Those capabilities are plausible together, but the SKILL.md does not specify any data sources, APIs, or services needed to obtain historical prices or platform pricing. Features like CPS/返利 normally require affiliate accounts or tokens, which are not declared. The claimed capabilities therefore lack justification for their required access/resources.
Instruction Scope
The SKILL.md contains only high-level runtime goals and an output format and does not instruct the agent to read local files, environment variables, or arbitrary system paths. It does not include commands or external endpoints. However, practical implementation (scraping, API calls, reminders) is unspecified and could later expand the scope.
Install Mechanism
No install spec and no code files — this is an instruction-only skill. That minimizes on-disk code risk; nothing will be downloaded or installed from unknown URLs as part of this package.
Credentials
The skill declares no required environment variables or credentials. In practice, cross-platform price queries, historical price databases, and CPS/affiliate features often require API keys, affiliate IDs, or scraping credentials. The absence of declared env vars is a mismatch with some claimed features and should be clarified before trusting the skill with credentials.
Persistence & Privilege
always is false and there is no install behavior. The skill does not request persistent presence or system-wide configuration. Autonomous invocation is allowed by default but that is normal and not by itself a red flag here.
What to consider before installing
This skill is an instruction-only description for a price-comparison tool and currently contains only high-level behavior and an output template. Before installing or using it, ask the maintainer: (1) Where does the historical price data come from (which APIs or datasets)? (2) Will the skill scrape websites, and if so does that respect site terms of service and your privacy? (3) Does CPS/返利 require affiliate IDs or tokens — and where/how would you enter them? (4) How are price-drop reminders delivered (email, push, webhooks) and is any personal contact info stored or sent to third parties? Because the SKILL.md provides no data-source or credential details, do not supply account credentials or secret tokens until you have clear, specific answers and you are satisfied with the data sources and privacy model.Like a lobster shell, security has layers — review code before you run it.
latestvk97d8hr0gm9n5vb0v1hek7x81n83rfet
License
MIT-0
Free to use, modify, and redistribute. No attribution required.