卖家之家(跨境电商)服务商搜索
Security checks across malware telemetry and agentic risk
Overview
The search skill is mostly coherent, but it requires an MJZJ API key even though its documented search APIs are public, and it also points agents toward authenticated private-message sending.
Install only if you are comfortable providing an MJZJ API key. If you only need public service-provider search, ask the publisher to make the API key optional. Do not allow the agent to send private messages unless you have reviewed and approved the recipient and message content.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You may need to provide an account API key even for public searches; that key could authorize other MJZJ account actions outside the public search flow.
The skill declares MJZJ_API_KEY as required while also saying its documented query interfaces are public and do not need a token, so the credential requirement is broader than the stated search purpose requires.
requires:\n env: ["MJZJ_API_KEY"] ... ## 鉴权规则\n- 本 Skill 全部为公开接口,可不带 token.
Make MJZJ_API_KEY optional for this search skill, request it only for authenticated actions, and clearly document the token scope and when it will be used.
If combined with the messaging skill and an API key, the agent could send private messages from your account after a provider search.
The skill describes chaining search results into an authenticated private-message API. This is adjacent to the search use case and user-directed, but it is an account action outside the two public search endpoints.
当用户想联系某个服务商时,可直接将该 `userSlug` 作为 `/api/message/sendMessage` 的 `recieverUserSlug` 参数,向服务商发起私信(无需额外查询)。发送私信需要鉴权(`Authorization: Bearer $MJZJ_API_KEY`)
Require an explicit user confirmation of the recipient and message content before any authenticated message is sent.