Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Fastmoss Report
v1.0.1自动生成美国时尚配件品类TikTok热推日榜与周榜Top10数据报告,含分析与选品建议。
⭐ 1· 281·2 current·2 all-time
byislcy@islcy1208
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The described functionality (scrape FastMoss, build HTML report, deploy to Vercel, optionally post to Feishu) is coherent with the variables and steps in SKILL.md (account, category, region, deploy dir, group ID). However the public registry metadata states no required env vars while SKILL.md lists multiple environment variables (including credentials). That metadata mismatch is an incoherence and should be corrected.
Instruction Scope
SKILL.md directs the agent to use a browser tool to log in to FastMoss, read environment variables (explicitly ~/.openclaw/.env or system env), store/change a rotating password in agent memory, write a deploy directory, and push a Vercel deployment and Feishu notification. The instructions are vague about how Vercel/Feishu authentication should be performed and do not limit or describe any external endpoints for data exfiltration; the step to 'use browser tool' + credentials could expose sensitive data if the agent transmits it. The memory use for password rotation is also a potential leakage vector.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so it does not install third-party binaries or download archives. That lowers install-time risk. The skill does assume runtime tools (a browser tool and an ability to deploy to Vercel) are present but does not install them itself.
Credentials
SKILL.md requests sensitive environment values: FASTMOSS_ACCOUNT and FASTMOSS_PASSWORD (used to log into a third-party site). Those are reasonably needed for login, but the registry metadata omitted declaring them. It also asks for FEISHU_GROUP_ID and VERCEL_DEPLOY_DIR but does not request Feishu or Vercel auth tokens or explain how deployment/auth will be handled—this is inconsistent and could lead the agent to attempt alternative, unexpected authentication flows. Requiring a rotating password stored in agent memory is also questionable practice.
Persistence & Privilege
The skill is not force-included (always:false) and is user-invocable; it uses the agent's workspace (~/.openclaw/workspace/fastmoss-...) and agent memory for state. It does not request elevated system persistence or attempt to modify other skills' configs. This privilege level is typical for such tasks.
What to consider before installing
Before installing or running this skill, be aware it asks you to provide a FastMoss account and password and to store them in environment variables (or in agent memory). That is sensitive—prefer not to give primary account credentials to an autonomous agent. Ask the author to: (1) update the registry metadata to list all required env vars and why they're needed; (2) clarify how Vercel and Feishu will be authenticated (provide explicit tokens/permissions rather than relying on implicit browser flows); and (3) avoid instructing the agent to persist rotating passwords in memory. If you proceed, run the skill in a sandboxed agent, use an expendable or limited-permission FastMoss account, and do not reuse high-value credentials.Like a lobster shell, security has layers — review code before you run it.
ecommercevk97f9wc50qamnt51cwh47g5rq982cwrqfastmossvk97f9wc50qamnt51cwh47g5rq982cwrqlatestvk97f9wc50qamnt51cwh47g5rq982cwrqtiktokvk97f9wc50qamnt51cwh47g5rq982cwrq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.