ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

比价返利雷达

v0.1.0

跨平台商品比价与返利综合工具,计算各平台真实到手价(售价-券-返利),推荐最优购买渠道。

0· 45·0 current·0 all-time
by@fangshan101-coder
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to search multiple marketplaces (淘宝、京东、拼多多、抖音) and compute coupons/返利 and historical prices. However, it declares no required credentials, APIs, or data sources. Accurate rebate and coupon data (and some price histories) typically require affiliate API keys, platform APIs, or third‑party price-history services; the skill provides none of these and gives no explanation how it will obtain authoritative data.
!
Instruction Scope
SKILL.md uses open-ended instructions like “自动在...搜索同款” and “展示历史价格走势” without specifying where to query, permitted scraping behavior, or data retention. That vagueness gives the agent broad discretion to crawl many sites or use unspecified third-party services. The instructions do not tell the agent to read local files or exfiltrate secrets, but they also don't constrain network access or define trusted endpoints.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so there is no installer or archive download risk.
!
Credentials
The skill requests no environment variables or credentials. That is plausible if it only uses public pages, but inconsistent with providing accurate rebate (affiliate commission) and coupon data which normally require affiliate tokens or platform access. The lack of any required credentials raises questions about data accuracy or hidden dependency on third-party web scraping.
Persistence & Privilege
always:false and no special persistence requested. Agent autonomous invocation is allowed (platform default), but the skill does not request permanent presence or system configuration changes.
What to consider before installing
Before installing, understand that this skill is an instruction-only spec that promises cross-platform coupon/rebate calculations and price history but does not say where it will get that data or request the affiliate/API keys usually required. Ask the developer: (1) which data sources and endpoints it will query for coupons, rebate rates, and price history; (2) whether it needs affiliate credentials or login cookies and how those are stored/used; (3) whether it will perform web scraping and what rate/targets; and (4) any privacy/data-retention policy. If you plan to rely on its rebate calculations for purchases, prefer a version that declares required APIs/keys or that documents trusted sources. Avoid entering passwords or secret tokens into a skill unless you understand and trust how they will be used and stored.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ch6d5kmjwbsvfk3pdkwe1y983pntc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments