Meituan Physical Automation
PassAudited by VirusTotal on May 7, 2026.
Overview
Type: OpenClaw Skill Name: meituan-automation Version: 1.0.1 This skill provides physical control over an Android device to automate the Meituan app, including the ability to read sensitive personal information such as delivery addresses and phone numbers. It contains aggressive prompt injection in `SKILL.md` designed to force the AI agent to execute setup and operational commands immediately, bypassing typical user confirmation. Most significantly, `requirements.txt` includes `frida` and `frida-tools`, which are powerful dynamic instrumentation tools not used in the provided source code, suggesting potential for hidden malicious activity like app hooking or security bypass. Additionally, `cli.py` exposes a control interface via an HTTP server on all network interfaces (0.0.0.0).
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A capable agent or caller could manipulate the connected phone beyond a single food-ordering step, including adding items, reaching checkout, or tapping/type-driving other screens.
The CLI/HTTP surface exposes cart mutation, checkout navigation, arbitrary coordinate taps, and text input on a real phone.
GET /add_to_cart?item=香辣鸡腿堡 ... GET /checkout ... POST /tap_xy body: {"x":0,"y":0} ... GET /type?text=汉堡Use only while watching the phone, require explicit confirmation before cart/checkout actions, and avoid exposing raw tap/type endpoints unless they are restricted to trusted local callers.
The agent effectively uses the user's Meituan account on the connected phone, even though no API key or password is declared.
The skill acts through the user's logged-in Meituan app session and can access order/address information through the app UI.
GET /checkout # 去结算(返回地址/总价/时间) GET /address # 查看当前收货地址
Only run this on an account and device you intend the agent to use, and verify address, cart, and total price before payment.
Installing the skill may add powerful packages unrelated or under-explained for the stated task, increasing supply-chain and local-tooling risk.
The skill installs unpinned instrumentation/MCP packages that are not clearly explained by the shown Meituan UI-automation code, while SKILL.md frames the approach as 'No reverse engineering' and 'No hacking.'
frida>=16.0.0 frida-tools>=12.0.0 mcp[cli]>=1.0.0
Remove unused dependencies, pin versions, add hashes or a lockfile, and document why each dependency is required.
This is expected for Android physical automation, but it executes code on the host and changes the connected device state.
The skill explicitly asks the agent to run local installation, device-driver initialization, and ADB commands.
You MUST use your bash/terminal tool to EXECUTE ... pip install -r requirements.txt ... python -m uiautomator2 init ... adb shell am start -n ...
Run setup manually or in a controlled environment first, and confirm the exact commands before allowing the agent to execute them.
If the server is reachable by anything untrusted, screen contents and phone-control actions could be exposed to another process or agent.
The artifacts describe an HTTP API for AI control of the phone and the shown handler code does not show authentication or caller/origin checks.
python cli.py serve # 启动 HTTP Server(供 AI 调用) ... GET /screen ... POST /tap_xy ... class AIHandler(BaseHTTPRequestHandler)
Bind only to localhost, add authentication, and do not run the HTTP server on shared or exposed networks.
A user may overtrust the automation and miss that the agent can still alter cart/account state and interact broadly with the phone.
The safety and anti-ban wording is stronger than the artifact-backed guarantees, given the raw tap/type controls and checkout workflow.
Your money stays 100% safe — the AI never completes payment. ... Risk account bans from bot traffic | Indistinguishable from a real user
Replace absolute safety claims with clear limits, disclose remaining risks, and require user confirmation before checkout-sensitive steps.
The phone may remain configured to stay awake longer after the task, affecting battery and privacy.
The skill changes persistent Android screen settings to keep the device awake during automation.
_adb("settings", "put", "global", "stay_on_while_plugged_in", "3")
_adb("settings", "put", "system", "screen_off_timeout", "600000")Restore previous screen settings after automation or clearly tell the user how to revert them.