Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Affiliate Marketing Auto
v1.0.2自动化联盟营销全流程,支持高佣金产品发现、SEO内容生成、链接追踪和收入报表分析,助力24/7被动收益。
⭐ 0· 76·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (affiliate marketing automation) aligns with the code and SKILL.md: modules for product discovery, content generation, link tracking and analytics exist. However there are minor incoherences: registry/skill metadata (slug/version) differs from package.json/clawhub.json names and versions (skill metadata version 1.0.2 vs package.json 1.0.1; clawhub.json lists name "affiliate-marketing-pro" while the public slug is "affiliate-marketing-auto"). Source is listed as unknown and homepage is absent despite README pointing to a GitHub URL. These provenance and naming mismatches reduce trust and should be clarified.
Instruction Scope
SKILL.md stays within the stated scope: it instructs the agent to configure affiliate platform API keys via configure(), call findProducts(), generateContent(), createTrackingLink(), getRevenueReport(), exportReport(), and setupAutomation(). It does not instruct reading arbitrary system files or shell history. One operational mismatch: the documentation and examples assume real-time income data from affiliate platforms, but the analytics module in the source generates simulated/random data rather than querying a backend—this contradicts claims of '实时收入仪表板' unless other modules (product-finder/link-tracker) collect real data. You should inspect product-finder.js and link-tracker.js (truncated in the bundle) to confirm how external APIs and click events are handled.
Install Mechanism
No install spec is provided in the skill bundle (instruction-only install recommendations exist). The package contains package.json with typical npm dependencies (axios, cheerio, node-fetch) and a package-lock; no remote one-off downloads or obscure install URIs are present. That is a normal and lower-risk install pattern for Node.js code, but installing will pull common npm packages—standard supply-chain hygiene (scan dependencies, run npm audit) is recommended.
Credentials
The skill requests no declared environment variables or primary credential in its metadata, yet runtime use requires platform API keys (Amazon, ShareASale, CJ, etc.) provided via affiliate.configure(). This is not necessarily malicious, but metadata should clearly document required credentials. Before providing API keys, verify the code paths that store, transmit or log those keys (especially product-finder and link-tracker). Also confirm whether the code ever sends keys or tracked data to third‑party endpoints beyond the configured affiliate platforms or your configured shortener.
Persistence & Privilege
The skill does not request always:true and does not declare any system-level config paths or service privileges. It exports a skill instance and performs in-process operations; it does not appear to modify other skills or system-wide settings. Autonomous invocation is allowed by default (normal).
What to consider before installing
In plain terms: the code mostly does what the description says, but the package's provenance and some implementation details are unclear—take these steps before installing or handing over API keys:
1) Verify the source repository and maintainer (confirm the GitHub URL actually hosts this exact code and that the maintainer is trustworthy). The bundle shows mismatched names/versions; ask the publisher to explain.
2) Inspect product-finder.js and link-tracker.js (the truncated files) to confirm how they call external APIs, whether they scrape sites, and whether they post any data to unexpected endpoints (look for axios/fetch POSTs to non-affiliate domains or hardcoded URLs).
3) Don't pass real affiliate API keys or account-level secrets until you confirm where they are used/stored. Prefer providing keys to a local sandboxed run first and monitor outbound network requests.
4) Run the test suite locally and observe network activity (use a network proxy or packet capture) to ensure no unexpected exfiltration. Also run npm audit on dependencies.
5) Note the analytics module generates simulated/random data—if you need real-time, production-grade reporting, verify integration with your affiliate platforms is implemented and tested.
If you cannot confirm provenance or the external-calls in product-finder/link-tracker, treat the skill as untrusted and avoid supplying real credentials or running it on production systems.Like a lobster shell, security has layers — review code before you run it.
latestvk971x4nvhm82nnx2hkb4az88bn83986d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.