苏宁帮客预约服务
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to do the advertised service booking task, but it sends the user’s phone number and repair description to an external production endpoint.
Before installing, be comfortable with the agent collecting your phone number and repair description and sending them to the listed 苏宁帮客 endpoint after you confirm. Do not provide someone else’s phone number, and treat the POST method as a privacy improvement rather than a complete privacy guarantee.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If confirmed, the agent may submit a real repair/service appointment request using the provided details.
The skill instructs the agent to make a production POST request that may create a service reservation. This is purpose-aligned and gated on user confirmation, but it is still an external action the user should notice.
步骤3:提交预约(如果用户确认) 使用 POST 请求提交数据到苏宁帮客预约接口: https://asapps.suning.com/asapps/mcp/serviceReserveNew
Only submit after explicit user confirmation, and make clear that this may create a real service request.
The user’s contact number and repair issue may be shared with the external booking service.
The skill sends the user’s phone number and repair description to an external service endpoint. This data flow is disclosed and necessary for the booking purpose, but it involves personal information crossing a service boundary.
请求体参数: phone=<手机号> serviceDescription=<故障描述>
Tell users exactly what information will be sent and submit only the minimum necessary details.
Users could overestimate the privacy guarantees of the submission method.
The privacy note correctly favors POST over URL query parameters, but it overstates the protection because request bodies can still be logged by servers, proxies, tools, or command histories depending on implementation.
避免敏感数据被记录在服务器日志、浏览器历史、HTTP Referrer 头中
Describe POST as reducing URL exposure, not as a complete guarantee that sensitive data will never be logged.