Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
daily-deals-1.0.0
v1.0.0每日神价推送服务,自动聚合全网优惠,生成精简报告。适合忙碌的省钱达人、副业套利者。
⭐ 0· 74·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims full-site aggregation (Taobao/JD/PDD/1688), scheduled pushes, and WeChat delivery, but the package is instruction-only and only declares python3 as a requirement. There are no declared API keys, webhooks, payment integration, or scraping/runtime components. A real implementation would normally require credentials, API endpoints, scraping code, or a service that performs scheduling/delivery — none are present. Also _meta.json.ownerId differs from the registry Owner ID, which is an additional inconsistency.
Instruction Scope
SKILL.md contains high-level user prompt examples and an example report but no runtime instructions for how to gather prices, authenticate to marketplaces, or deliver messages to WeChat. The instructions are vague (e.g., '订阅每日神价推送,发送到我的微信') and give the agent broad, undefined discretion to act, which could cause it to ask for credentials or attempt ad-hoc scraping without boundaries.
Install Mechanism
There is no install spec and no code files; this is the lowest-risk installation pattern because nothing will be written to disk by an installer. However, the lack of an implementation also creates ambiguity about how promised features will be achieved.
Credentials
The skill declares no required environment variables or credentials despite promising WeChat delivery and interactions with multiple e-commerce platforms. Those capabilities normally require tokens, cookies, or API keys (and possibly proxies). The absence of any declared credentials is disproportionate and unexplained.
Persistence & Privilege
The skill does not request always:true and is user-invocable. There is no indication it will modify global agent settings or persist credentials automatically.
What to consider before installing
This skill appears to be a high-level description rather than an implemented integration. Before installing or using it:
- Ask the publisher for the actual implementation (code, install instructions, and where it runs). Do not install unless you can review the code.
- Request details on how scheduling and WeChat delivery are implemented and where credentials are stored; require explicit env var names and storage/rotation policies. Never paste your WeChat account credentials into a skill without knowing how they will be used and stored.
- Verify the data sources and scraping approach (APIs vs. screen-scraping) and confirm compliance with marketplace terms of service and local law.
- Confirm the owner identity (metadata mismatch observed) and prefer skills with a verifiable repository, release artifacts on a known host, and explicit install scripts.
- If you proceed, run it in an isolated environment and monitor outbound network requests; ask for a minimal permission set and proof that paid features don't require providing more sensitive credentials than necessary.Like a lobster shell, security has layers — review code before you run it.
latestvk97bvejye19q9ghkav2496644d83jkxs
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📦 Clawdis
Binspython3