xianyu-search
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a benign shopping helper that generates second-hand marketplace search links and buying advice, with no evidence of credential use, data exfiltration, persistence, or destructive behavior.
This skill looks safe for its stated purpose: it helps create search links and shopping checklists. Treat its recommendations as guidance, not verified live marketplace results, and only run the optional Node.js CLI if you trust the installed package.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users could over-trust formatted recommendation tables unless they verify the actual listings on the marketplace pages.
The skill is described as a search and recommendation helper, but it clearly discloses that it generates links and formatted output rather than performing live data retrieval itself.
**生成搜索链接** ... **格式化输出** ... **不执行网络请求或外部 API 调用**
Use the generated links as a starting point and manually verify prices, seller reputation, and item condition before acting.
Running the CLI executes local skill code on the user's machine, although the visible behavior is limited to parsing input and producing search links.
The documentation includes an optional CLI path that executes the packaged JavaScript locally; this is purpose-aligned and no privileged commands are shown.
node cli.js "帮我找闲鱼上的 MacBook Air M1 预算 2300"
Only run the CLI from a trusted installation location and avoid granting elevated permissions.
Users have less registry-level assurance about where the package originated.
Registry-level provenance is limited even though package files and repository claims are present in the artifacts.
Source: unknown Homepage: none
Prefer installing from a verified publisher or compare the package against the claimed repository before relying on it.