Affiliate Marketing Auto
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: affiliate-marketing-auto Version: 1.0.2 The skill bundle is a comprehensive framework for automating affiliate marketing workflows, including product discovery, SEO content generation, and link tracking. While many of the external API integrations (e.g., Amazon, CJ Affiliate) are currently implemented as stubs returning demo data, the code logic is transparent, well-structured, and strictly aligned with the stated marketing purposes. No evidence of data exfiltration, malicious execution, or prompt injection was found across the source files (src/*.js) or documentation (SKILL.md, README.md).
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could make marketing or financial decisions based on made-up revenue, conversion, or prediction data.
The implementation states that revenue reports are simulated and uses random values, while the skill is presented as providing real revenue reporting and predictions. This can mislead users into trusting fabricated business metrics.
// 生成模拟数据(实际应从数据库/API 获取) ... totalRevenue: Math.floor(Math.random() * 10000) + 5000
Clearly label the current analytics as demo/mock data, or connect it to real affiliate-platform and tracking data before presenting reports as real.
If implemented or followed by an agent, promotional content could be posted publicly on the user's accounts without sufficient review.
The documented workflow includes scheduled public content publishing, but the artifacts do not describe a required human review/approval step, posting limits, rollback, or account-scope controls.
await affiliate.setupAutomation({ schedule: 'daily', tasks: [ ... { action: 'publishContent', params: { platforms: ['twitter', 'xiaohongshu'] } } ... ] });Require explicit user approval before each public post, default to draft generation, and document account permissions, rate limits, and how to disable scheduled publishing.
Users may publish non-compliant or misleading affiliate promotions if they rely on the generated content as-is.
The generated promotional templates include affiliate-style recommendations and purchase calls-to-action, but the shown templates do not include an affiliate relationship disclosure by default.
content: `🔥 发现好物!${product.name} ... #好物推荐 ...` ... callToAction: { text: `立即查看 ${product.name}`, url: product.url }Add clear affiliate disclosure text to every generated review, social post, email, and video script, and keep human review in the workflow.
Affiliate API keys may grant access to account, product, and revenue data depending on the provider.
The skill expects affiliate-platform credentials, which is purpose-aligned, but the registry metadata does not declare required credentials.
apiKey: 'your-amazon-api-key', associateTag: 'your-associate-tag' ... shareasale: { userId: 'your-user-id', apiKey: 'your-api-key' }Use least-privilege API keys, avoid pasting production credentials into untrusted contexts, and ensure the skill documents exactly how credentials are stored and used.
If used with real visitor traffic, the skill may collect personal or behavioral tracking data.
The example shows click tracking with IP address, user-agent, and referrer data. This is expected for link analytics, but it involves potentially sensitive visitor data.
recordClick(trackingLink.id, { ip: `192.168.1.${i}`, userAgent: 'Mozilla/5.0', referrer: ... })Minimize collected fields, document retention and storage, and ensure tracking complies with privacy laws and platform policies.
Installing from an unverified repository could expose the user to code that differs from the reviewed artifacts.
Manual installation uses an unspecified repository URL and npm dependencies. This is common for Node-based skills, but users should verify the source because the registry source is listed as unknown.
git clone <repository-url> affiliate-marketing-auto ... npm install
Install only from a trusted, matching repository and prefer pinned, reviewed releases.