Lafeitu (辣匪兔) Spicy Food
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Lafeitu shopping skill, but it can log in, store a local token, change carts/profile data, and create unpaid orders, so users should review account and order actions carefully.
This skill appears purpose-aligned for Lafeitu shopping. Before installing or using it, be comfortable with it contacting Lafeitu’s API, saving a local login token, and making cart/profile/order changes when instructed. Confirm all purchase and shipping details yourself, and log out when finished if you do not want credentials retained.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The assistant may change your Lafeitu cart, update account/shipping details, or create an unpaid order for you.
The skill can perform commerce mutations such as cart changes, profile updates, and order creation. The quoted instruction shows these actions are disclosed and includes a confirmation/payment handoff boundary.
Use `create-order` only after shipping details are confirmed. Payment is always a human handoff.
Only approve cart, profile, or order actions after checking the exact products, quantities, recipient name, phone number, and address.
Anyone or any agent process that can use the saved token may be able to perform logged-in Lafeitu actions until you log out or remove the credential file.
The client stores a Lafeitu account token locally and sends it on API requests. This is expected for logged-in commerce actions and uses restricted file permissions, but it grants account-level authority.
json.dump({"account": account, "token": token}, f)
os.chmod(self.creds_file, 0o600)
self.session.headers.update({"x-user-account": account, "x-api-token": token})Use the skill only on a trusted machine, avoid sharing transcripts containing passwords, and run `logout` when finished if you do not want the token retained.
Setup may depend on whatever `requests` version your Python environment installs.
The required Python dependency is disclosed and purpose-aligned, but it is an unpinned pip package and the registry-level install spec says no install spec was provided.
"install":[{"id":"python-deps","kind":"pip","package":"requests","label":"Install Python dependencies"}]Install dependencies from a trusted Python environment; publishers should align registry install metadata and preferably pin dependency versions.