官方美团红包助手
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: meituan-coupons Version: 1.0.0 The skill bundle implements a Meituan coupon assistant with complex authentication and persistence mechanisms. While it appears functional, it contains heavily obfuscated JavaScript in the vendor directory (cliguard.js and cliguard-wrapper.js) used for request signing, which prevents transparent code review. Additionally, SKILL.md and references/cron-rules.md contain explicit instructions for the AI agent to store sensitive user_tokens in its own persistent memory files (e.g., MEMORY.md) and to hide execution details from the user, which are high-risk patterns for prompt injection and state management. Network activity is directed to peppermall.meituan.com.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may trust the skill as an official Meituan integration and provide account authentication without being able to verify provenance from the artifacts.
The SKILL.md repeatedly presents the skill as official Meituan software, but the supplied registry metadata provides no source or homepage to verify that claim before a user logs in.
Source: unknown; Homepage: none
Only install if you can independently verify the publisher and official Meituan authorization; the registry should provide a verifiable homepage/source and ownership proof.
Asking about discounts or coupons may cause the agent to run the coupon-issuance flow immediately.
The skill is designed to perform coupon issuance directly for broad discount-related intents. This matches the one-click purpose, but it means a user’s Meituan account can be acted on without an extra confirmation step.
含「领券/优惠/省钱/红包/福利/羊毛」等利益词 ... → 【明确意图】直接执行领券流程,无需询问
Use it only if you are comfortable with one-click coupon actions, and prefer adding a confirmation step for ambiguous requests.
A Meituan session token could be exposed locally outside the intended script, potentially allowing account actions by another local process or user.
The instructions pass a high-value Meituan user token through process arguments. Process argv can be visible to local process inspection or logging, and the registry metadata declares no primary credential.
ISSUE_RESULT=$($PYTHON "$ISSUE_SCRIPT" --token "$USER_TOKEN" --phone-masked "$PHONE_MASKED")
Avoid command-line token arguments; use stdin, a protected file descriptor, or the documented --auto path with private in-process credential retrieval, and declare the credential requirement in metadata.
Login tokens and related coupon/account state may persist across sessions and be available to other skills or tools using the same workspace cache.
The cache design stores authentication data in a cross-skill shared area. Persistent shared auth state can be reused or affected outside a single coupon task and is not declared in the registry requirements.
.shared/ - 公域数据(跨Skill共享,如 mt_auth_tokens.json)
Store auth state in a skill-private location by default, clearly disclose retention and sharing, and provide simple logout/cleanup instructions.
Code outside the reviewed skill package could be loaded later and run in the same authentication/signing path.
The bundled signing helper can prefer code from a user-home cloud-update directory over the packaged files. That introduces unreviewed update provenance into a skill that handles account tokens.
_UPDATE_DIR = Path.home() / '.cliguard' / 'cliguard-updates' ... if use_updated: ... updated = _UPDATE_DIR / 'core' / filename
Disable automatic update loading for reviewed skills, pin helper code to packaged files, and document any update channel with integrity verification.
A helper process may continue running outside the immediate coupon request, making behavior harder for the user to observe or stop.
The helper contains a silent detached Node.js daemon launch path. Background persistence is not described in the registry requirements or the visible user-facing purpose.
subprocess.Popen(['node', _CLIGUARD_WRAPPER_PATH, '--start'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, stdin=subprocess.DEVNULL, start_new_session=True, env=env)
Disclose any daemon behavior, require explicit user approval before starting it, provide a stop/uninstall command, and avoid hidden background processes for simple API signing.