Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
DianPing-Search
v1.0.0Dianping (大众点评) API skill for searching restaurants and businesses, viewing shop details, deals/coupons, and reading recommended dishes. Use this skill when:...
⭐ 0· 174·0 current·0 all-time
by@fjsand
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (Dianping search/shop/deals) aligns with the shipped scripts: they scrape dianping.com via curl and require the dper/dplet cookies. However the published metadata lists no required config paths while the code and SKILL.md explicitly read/write ~/.dianping/cookies.json — a mismatch that reduces transparency and should have been declared.
Instruction Scope
SKILL.md and the Python scripts keep to the stated scope (search/shop/deals) and instruct the user how to set/renew cookies. They also instruct the user to copy sensitive cookie values from their browser and paste them into the tool, which is expected for this design but is inherently risky. The instructions reference a specific user home path (~/.dianping) not declared in registry metadata.
Install Mechanism
Although there's no platform-wide install spec, the package includes an install.sh that decodes base64 blobs and writes files (SKILL.md and scripts) into a directory. The installer prints a curl|bash usage pattern and embeds encoded content — embedding opaque base64 makes static review harder and is a transparency concern. The install script appears self-contained (no external download), but running arbitrary install.sh (especially via curl | bash) from an unknown source is a higher-risk operation.
Credentials
No environment variables or external credentials are requested — good. The tool requires only two Dianping cookies (dper, dplet) which are proportionate to the stated purpose. Caveat: cookies are stored in plaintext JSON under ~/.dianping/cookies.json; that is necessary for the approach but increases local persistence of sensitive tokens and should be considered by the user.
Persistence & Privilege
Skill does not request always:true, does not modify other skills, and its filesystem writes are limited to a directory and ~/.dianping. That is within expected scope for a local CLI-style integration.
Scan Findings in Context
[base64-block] unexpected: Base64-encoded blobs were found in the installer/SKILL.md. In this package they are used to reconstruct included files (install.sh decodes and writes scripts/SKILL.md). Embedding encoded payloads is not required for a simple search skill and reduces transparency, making manual review harder.
What to consider before installing
This package appears to implement the Dianping scraping API it claims, but take these precautions before installing or running anything: (1) Do not run install.sh from an untrusted network curl|bash pipe — inspect the script first. (2) Open the included scripts yourself and verify they only contact dianping.com and only read/write ~/.dianping/cookies.json; the code provided in the package largely matches that behavior. (3) Be aware you'll be asked to paste dper/dplet cookie values (sensitive); storing them as plaintext JSON in your home directory is functional but exposes tokens to other local processes/backups. (4) If you want stronger isolation, run the tool in a sandboxed account or container and avoid running the installer with administrative privileges. (5) If you need higher assurance, ask the publisher for provenance (source repo, homepage, signed release) or prefer an integration that uses an official API/SDK instead of scraping.Like a lobster shell, security has layers — review code before you run it.
latestvk979e09bhx4sme3t793jpf4qcx832dqk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.