ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

美赚返利助手

v0.1.0

美赚社交电商返利与任务平台工具,提供多平台购物返利查询和推广任务奖励,支持自购省钱和分享赚钱。

0· 34·0 current·0 all-time
by@fangshan101-coder
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims capabilities that normally require platform APIs, user accounts, or payment bindings (查询淘宝/京东/拼多多返利, 推广任务、提现等). However, the skill declares no credentials, API keys, or config paths and provides no implementation details—this mismatch suggests missing or implicit requirements.
Instruction Scope
SKILL.md contains only high-level descriptions, trigger words, and an output format; it does not specify runtime actions, API endpoints, or how user data is obtained. That vagueness gives the agent broad discretion (it could prompt users for credentials or perform web scraping), which increases risk unless clarified.
Install Mechanism
No install spec and no code files are present (instruction-only). This minimizes on-disk code execution risk because nothing in the package will be written or executed by default.
!
Credentials
Features like commission tracking and withdrawals normally require access to account credentials or payment info, but requires.env is empty and no primary credential is declared. Either the skill is only a formatting helper (in which case claims are overstated) or it will ask for sensitive data interactively—this is disproportionate and should be clarified.
Persistence & Privilege
always:false and no install/persistence behavior is declared. The skill does not request persistent/system-wide privileges in its metadata.
What to consider before installing
Before installing or using this skill, ask the author how it implements each feature (which APIs it calls, whether it requires Taobao/JD/PDD accounts or payment bindings). Never paste passwords, payment credentials, or long-lived API tokens into chat; prefer OAuth or official API keys stored as environment variables. If the skill will ask for account access, request a clear privacy/security statement and test with a throwaway/dummy account first. If the author cannot explain how withdrawals and marketplace queries are performed or what credentials are needed, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk978mw40dbzqtrjpx7r4w7dmnd83rbxb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments