ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

品牌分析师(Zeelin付费版)

v1.0.2

品牌分析 Skill(零配置版)。用户仅需提供 Zeelin App-Key 和品牌名,调用服务端封装接口生成品牌底座;计费在服务端完成(成功扣50额度,失败不扣费)。

0· 89·0 current·0 all-time
by@linhai806806-cell

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for linhai806806-cell/brand-analyzer-zeelin.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "品牌分析师(Zeelin付费版)" (linhai806806-cell/brand-analyzer-zeelin) from ClawHub.
Skill page: https://clawhub.ai/linhai806806-cell/brand-analyzer-zeelin
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install brand-analyzer-zeelin

ClawHub CLI

Package manager switcher

npx clawhub@latest install brand-analyzer-zeelin
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (brand analysis via Zeelin App-Key) is plausible for asking the user to provide an App-Key and calling a backend API. However the SKILL.md references a Cloudflare-workers domain (following-hull-easy-interactions.trycloudflare.com) rather than the claimed Zeelin billing host (skills.zeelin.cn) — the skill even says the API host must be replaced before publishing but the published SKILL.md still contains the placeholder. This discrepancy is unexpected for a published Zeelin-branded integration.
!
Instruction Scope
Instructions require the agent to prompt the user for their App-Key and then send that key plus brand data (and optionally attachments) to the specified external endpoint. Sending user credentials (App-Key) to an external host is expected for a third-party integration only if the endpoint is the official service; here the endpoint is an opaque trycloudflare.com host. The instructions do not constrain what the backend may do with the App-Key (beyond a prose claim that billing happens server-side).
Install Mechanism
This is an instruction-only skill with no install steps or code to write to disk, which is the lowest-risk install model.
!
Credentials
Although the skill requests no environment variables or local credentials, it explicitly instructs the agent to collect the user's Zeelin App-Key and transmit it to the specified host. Requiring the user's App-Key is reasonable for an API-backed service, but the lack of an official/verified endpoint and the use of a trycloudflare.com domain makes this request disproportionate without further verification.
Persistence & Privilege
The skill is not always-enabled and does not request elevated agent privileges or modification of other skills. Autonomous invocation is allowed (platform default) but does not combine here with other high privileges.
What to consider before installing
Do not provide your Zeelin App-Key to this skill until you verify the backend. Specific things to check before using/installing: 1) Confirm the API host: ask the publisher for an official, stable HTTPS domain (preferably under zeelin.cn or another vendor-controlled domain) and compare it against Zeelin's official docs. The SKILL.md currently contains a placeholder Cloudflare Workers URL — that is a red flag. 2) Ask the author why the placeholder was not replaced and request a verifiable service owner and privacy/billing terms. 3) If you must test, create a scoped/test App-Key with minimal permissions/funds and no sensitive data, and revoke it afterward. 4) Avoid uploading sensitive attachments through this skill until the backend is confirmed trusted. 5) Prefer integrations that use documented, official endpoints (and preferably OAuth or per-integration credentials rather than uploading your main API key to an opaque host). If the publisher cannot provide a clear, official backend domain and billing guarantee, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97emyyv8a9y1e4e7vn0fye0gh842857
89downloads
0stars
3versions
Updated 3w ago
v1.0.2
MIT-0
@linhai806806-cell
latest
Download

隐私与透明度

  • 服务提供方:Brand Analyzer API
  • 计费平台:智灵 Skill 平台(https://skills.zeelin.cn)
  • 数据处理:用户输入的品牌名/查询文本(可选附件)会发送到服务端生成品牌底座
  • 敏感信息:网关密钥、计费逻辑、skill_id 均在服务端,不在本 Skill 包中分发

使用时机

当用户需要:

  • 品牌底座、品牌分析、品牌定位梳理
  • 竞品格局、用户画像、品牌调性总结
  • 从品牌名快速产出结构化品牌报告

不适合:图片生成、代码生成、视频制作、纯数据爬虫任务。

计费规则

  • 每次成功生成品牌底座扣 50 额度
  • 失败不扣费
  • 用户需在智灵平台创建并充值 App-Key

第一步(强制):索取用户 App-Key

在任何生成动作前,先向用户索取 App-Key:

开始前需要先验证你的智灵账户额度。请提供你的 App-Key。

如果用户未提供 App-Key,停止后续流程。

第二步:调用品牌分析接口(服务端封装)

固定接口地址(发布前必须替换为你的稳定正式域名)

https://following-hull-easy-interactions.trycloudflare.com

2-A. 常规请求(品牌名必填)

POST https://following-hull-easy-interactions.trycloudflare.com/v1/brand-analyzer/generate

Headers:

  • App-Key: <用户App-Key>

Body (multipart/form-data):

  • brand_name (必填)
  • query (选填)

2-B. 附件策略(可用则传,失败降级)

  • 若客户端支持附件上传:额外传 file
  • 若上传失败或客户端不支持:自动降级为仅 brand_name + query 并告知用户“已降级执行”

第三步:处理返回

成功

当返回 code=200

  • 输出 data.markdown 作为主结果
  • 补充提示:本次生成成功,消耗 50 额度,剩余额度 data.remain_calls

失败

code!=200

  • 直接使用 message 给用户可执行提示
  • 常见场景:
    • 402:余额不足,提示前往智灵充值
    • 404:App-Key 无效,提示检查 Key
    • 500:服务异常,提示稍后重试

安全边界

  • 本 Skill 不包含核心业务逻辑与计费实现。
  • 所有扣费链路均在服务端执行:detail -> business -> cost(50)
  • 不在 Skill 包内暴露网关 key、内部提示词、skill_id。

Comments

Loading comments...