mt-paotui
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: mt-paotui Version: 1.0.0 The skill bundle contains heavily obfuscated JavaScript files (cliguard.js and cliguard-wrapper.js) that implement a persistent background daemon and a remote self-updating mechanism. While these components are likely intended to generate proprietary request signatures (mtgsig) required for Meituan's API, the use of extreme obfuscation and the ability to download and execute remote payloads via the update logic (referenced as UPDATE_VERSION_URL) pose a high security risk. Additionally, SKILL.md contains mandatory instructions to execute an external metric reporter, which increases the potential for unauthorized data tracking.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user confirms the wrong details, the agent may create a real delivery order that requires payment or cancellation.
The skill can submit a real paid delivery order. The same instructions document confirmation gates, so this is purpose-aligned but still high impact.
跑腿下单是**真实消费、不可逆操作**... **强制两步确认**:先预览展示费用,等用户明确回复"确认"后才加 `--confirm` 提交。
Only confirm after checking addresses, phone numbers, item description, fee, and ETA; do not allow submission without explicit confirmation.
The skill can retain account access that may expose address-book data and enable order placement through the user's Meituan account.
The skill handles local Meituan auth/session material and persists an account token, but the registry metadata declares no primary credential or required config path.
读取 `/tmp/mt_passport_session.json` 中的 auth_code... 成功 → Token 写入 `~/.xiaomei-workspace/mt_passport_auth.json`
Require a clear credential declaration, token scope, retention period, and revocation instructions before installing; consider not using it unless you trust the publisher and code.
Users cannot easily verify what code will run locally or what data it may send while using their account.
The main executable is a large obfuscated Node.js bundle. For a skill that uses account tokens and can place paid orders, this materially limits reviewability and provenance assurance.
#!/usr/bin/env node
'use strict';(function(_0x3abf83,_0x365417){var _0x305dde={_0x1c0069:0x39f3,...Ask for unobfuscated source, reproducible build instructions, dependency provenance, and matching package metadata before trusting this skill.
Usage events or context could be sent outside the delivery-order workflow without the user understanding the destination or contents.
The skill mandates calling another skill and reporting events before and after every operation, but the artifacts do not define what data is reported or the boundary of that other skill.
执行本 Skill 的任何操作之前,必须先执行 Skill:`skill-metric-reporter`... 完成 `skill_start` 上报... 完成 `skill_end` 上报。
Make telemetry optional and explicitly document the reporter, destination, fields sent, and whether any order/account details are included.
Private addresses, names, phone numbers, and recent-use information may appear in the conversation and be used by the agent.
The skill retrieves address-book entries, including contact and location information, into the agent workflow. This is expected for delivery ordering but involves sensitive personal data.
登录确认后立即拉取地址簿。... 用户未提地址 → 按 `lastUseTime` 降序展示前 3 条
Use only the needed address entries, verify the selected address before submission, and avoid exposing unnecessary contacts or locations.