Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Shopping Affiliate Search
v1.0.0全球购物搜索联盟工具 - 搜索淘宝/京东/亚马逊等平台商品,自动添加你的推荐码获取佣金。当用户想买东西、搜索商品、比价时自动激活。
⭐ 0· 118·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (affiliate search + inject referral codes) matches the included code: search.py manages affiliate IDs, builds affiliate links, and formats results. However the SKILL.md and README promise real multi-platform searching via platform APIs while the implementation returns simulated/mock results and placeholder API URLs — the capability is overstated compared to the actual code.
Instruction Scope
SKILL.md instructs running scripts/config.py and scripts/get_link.py, but the repository only contains scripts/search.py. Although search.py implements a 'config' subcommand, the documentation and examples are inconsistent about which files exist and how to run them. The instructions do not ask for unrelated environment variables or exfiltrate data, but the mismatch between docs and files is a practical risk (user may run non-existent commands or be misled about functionality).
Install Mechanism
No install spec and no external downloads — this is instruction-only plus a local script. Nothing will be automatically fetched or executed during install, minimizing supply-chain risk.
Credentials
The skill requests no environment variables or external credentials. Affiliate IDs are stored in a local config file (config/affiliate_config.json). The level of access requested is proportionate to the stated purpose.
Persistence & Privilege
always is false and the skill does not request system-wide privileges. It writes and reads a local config file in the project's config/ directory — expected for storing affiliate IDs and normal for this kind of tool.
What to consider before installing
Before installing, consider the following:
- The repository contains scripts/search.py which implements config and search behavior, but the SKILL.md references scripts (scripts/config.py and scripts/get_link.py) that are not present — expect documentation/code mismatches.
- The code returns simulated/mock search results and builds affiliate links from configured IDs; it does not actually call platform search APIs. If you need real-time, accurate searches you should verify/implement real API integrations.
- The tool stores affiliate IDs in config/affiliate_config.json on disk. Review that file and treat any stored IDs like sensitive tokens if you reuse them elsewhere.
- Because the docs overstate capabilities, test the skill in a sandboxed environment first and inspect the config file and output URLs to ensure they behave as you expect and comply with affiliate program rules.
- If you expect automatic activation in conversational flows, confirm your agent's autonomous-invocation settings and whether you want the agent to call this skill when users mention purchases or searches.
If you want, I can (1) point out the exact lines where the docs and code diverge, (2) suggest a minimal patch to make the docs accurate, or (3) propose changes to implement real API calls for one platform so behavior matches the description.Like a lobster shell, security has layers — review code before you run it.
latestvk9711b8ajh9csnxtprhavxa96d834tp5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🛒 Clawdis