美团出行红包
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s coupon functions are coherent, but it asks users to authenticate a Meituan account while claiming official status without clear provenance and stores/migrates tokens in broad shared local caches.
Treat this as a review-needed skill before installing. The coupon API behavior appears purpose-aligned, but you should verify that the publisher is truly Meituan, understand where tokens are stored, and avoid entering phone/SMS login details unless you trust the source and are comfortable with persistent local token storage and optional daily automation.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may be more willing to enter a phone number, SMS code, or accept token storage because the skill presents itself as official.
The skill explicitly asks users to trust it as an official Meituan assistant and authentication provider, but the supplied registry metadata lists the source as unknown and has no homepage.
description: "【美团官方】美团出行助手... 内置美团官方账号认证,登录即可领券..."
Verify the publisher and an official Meituan distribution page before entering login information or SMS codes.
The skill gains delegated access to act on the user’s Meituan account for coupon issuance and queries.
The skill performs phone/SMS login and stores a Meituan user token locally, while the metadata declares no primary credential or required credential contract.
$PYTHON "$AUTH_SCRIPT" send-sms --phone <手机号> $PYTHON "$AUTH_SCRIPT" verify --phone <手机号> --code <6位验证码> 成功 → `user_token` 已写入本地
Only authenticate if you trust the publisher; the registry should clearly declare the account credential/token requirement and scope.
Local authentication data may be copied into a cross-skill shared cache, increasing exposure if other skills or tools can read that workspace.
The auth code scans legacy auth-token files and writes the full legacy JSON data into a shared cache file, rather than clearly limiting migration to only this skill’s Meituan token entry.
openclaw_path = Path.home() / ".openclaw" / "workspace" / "auth_tokens.json"
...
write_result = _cli_call("shared", "write", ["mt_auth_tokens.json", "--content", json.dumps(legacy_data)])Limit migration to the specific Meituan auth key, avoid copying whole auth files, and document the exact token storage path, retention, and access boundary.
Tokens may remain available across sessions and potentially across related skills in the same local workspace.
The included cache tool intentionally stores authentication data in a shared cross-skill area. This is disclosed in code comments and may be intended for Meituan skill interoperability, but it is sensitive persistent state.
.shared/ - 公域数据(跨Skill共享,如 mt_auth_tokens.json)
Use the skill only in a trusted local workspace, and provide users with a clear logout/token-delete process.
After enabling it, the agent can run daily coupon claims without asking each time.
The skill can create a durable scheduled job for automatic daily coupon claiming after user confirmation. This is purpose-aligned and includes cancellation guidance, but it is persistent autonomous behavior.
每天定时帮你自动领券?到点直接帮你领,无需再次确认... CronCreate --cron "0 10 * * *" ... --durable true
Enable scheduled claiming only if desired, keep track of the cron job, and use the documented cancellation flow when no longer needed.