Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description promise automated daily check‑ins and points/ redemption guidance for apps, but SKILL.md content is about '签到汇总' as a product/price/logistics summary (filters, return fields, example queries) — these are different features. It's unclear which is the true purpose; required permissions (none) also don't match an automation that would need notification or account access.
Instruction Scope
SKILL.md contains only descriptive fields, example prompts, and UX notes; it does not provide runtime instructions to perform check‑ins, send notifications, access app APIs, or access user accounts. Conversely, it references data fields (logistics traces, order refund records) that would normally require access to user order data, but there are no instructions or declared creds for those actions.
Install Mechanism
Instruction‑only skill with no install spec and no code files. That minimizes on‑disk risk; nothing is downloaded or installed.
Credentials
The skill declares no required environment variables, credentials, or config paths. For the stated automated check‑in capability this is under‑privileged (missing notification/account access), and for the SKILL.md content it's proportionate because it doesn't instruct accessing external secrets.
Persistence & Privilege
Defaults are used (not always:true). The skill is user‑invocable and allows model invocation (normal). It doesn't request persistent system presence or modify other skills.
What to consider before installing
This skill is internally inconsistent: its description promises automated app check‑ins and points redemption but the SKILL.md reads like an e‑commerce product summary. Before installing, ask the publisher to clarify the intended functionality and provide a matching SKILL.md. Specifically verify: (1) if the skill will actually perform automated check‑ins, what credentials or notification permissions it needs and why; (2) whether it will access your accounts or orders (and where credentials are stored); and (3) who maintains the skill and whether a homepage or source repository exists. Because it's instruction‑only and requests no credentials, the immediate technical risk is low, but the mismatch could indicate sloppy or misleading metadata — avoid enabling it until you get a clear, matching description and runtime instructions.Like a lobster shell, security has layers — review code before you run it.
latestvk973k9kkf81re3vg56dyheeg7n837cmv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.