ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

jd-affiliate

v1.0.0

京东联盟推广平台 - 推客工具、商品推广链接生成、佣金查询、推广数据统计、选品推荐、京粉联盟

0· 40·0 current·0 all-time
by@naive-white-expert
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md claims concrete capabilities (生成推广链接、查佣金、统计数据、选品推荐) that normally require access to 京东联盟 APIs, account credentials, or web-scraping. The skill declares no required environment variables, credentials, or external endpoints, making its stated capabilities impossible to verify or execute reliably.
!
Instruction Scope
The SKILL.md is a high-level feature/spec list and example prompts, not a runtime procedure. It contains no explicit API calls, endpoints, authentication steps, or commands. This vagueness gives the agent broad discretion (e.g., asking the user for credentials, attempting to use web access, or fabricating values) and does not constrain how affiliate-links or commission data should be obtained.
Install Mechanism
No install spec and no code files are present (instruction-only). That minimizes installation risk because nothing is downloaded or written to disk by the skill itself.
!
Credentials
No environment variables or credentials are required, yet the described functions would normally need JD联盟 credentials (API key/secret, union account). The absence of credential requirements is an inconsistency — either the skill is purely informational or it will prompt the user to supply sensitive data at runtime.
Persistence & Privilege
always is false and there are no install hooks or config paths touched. The skill does not request persistent elevated privileges.
What to consider before installing
This skill reads like a feature checklist rather than an executable integration. If you expect it to generate real JD affiliate links or fetch commission and order data, ask the publisher how the skill authenticates to 京东联盟 (what API endpoints and credentials it uses). Do not provide account keys or passwords to an unverified skill or unknown author. If you only want templated guidance, copywriting, or examples for affiliate promotion, this instruction-only skill may be harmless; but for real-time operations you should prefer an official/integrated connector that documents authentication, or require the skill to explicitly declare and justify any credentials it needs.

Like a lobster shell, security has layers — review code before you run it.

latestvk9704q0y10a36q05kt712ktcr5842fmf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments