Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Amazon Cn
v1.0.0亚马逊中国购物助手,支持商品搜索、价格查询、订单查看和购物建议,帮助用户便捷电商购物体验。
⭐ 0· 58·0 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and description match (Amazon China shopping assistant). However, features like '订单管理' (view order status/logistics) and potentially placing orders imply access to an Amazon account or API. The skill declares no required credentials, primary credential, or config paths to accomplish account-scoped actions, which is inconsistent with the claimed capabilities.
Instruction Scope
SKILL.md is very high-level and does not specify how runtime actions should be performed (no API endpoints, no OAuth flow, no web-scraping instructions). Because order-related features require account access, the lack of guidance is a concern: it leaves open how the agent will obtain necessary credentials, whether it will ask the user to paste passwords into chat, or whether it will attempt web scraping—each of which has different security implications.
Install Mechanism
No install spec and no code files (instruction-only). This is lowest-risk from a file/installation perspective because nothing will be downloaded or written by an installer. However, this reduces auditability: behavior depends entirely on the agent's runtime actions guided by the prose.
Credentials
The skill requests no environment variables or credentials, but some claimed features (order viewing, order management, placing orders) normally require authenticated access to Amazon. The absence of declared secrets (API key, OAuth client, user token) is disproportionate and ambiguous.
Persistence & Privilege
Skill flags are default (always:false, model invocation allowed). No requested persistent config paths or modifications are declared. There is no explicit request for permanent presence or elevated system privileges.
What to consider before installing
Do not assume the skill can safely access your orders or place purchases just because it claims those features. Before installing or invoking: ask the skill author how account access works (OAuth? API token? will it ask you to paste credentials into chat?), request a list of exact environment variables or endpoint URLs the skill will use, and confirm where any tokens would be stored. Never paste your Amazon password or long-lived credentials into a chat. Prefer skills that use documented APIs and OAuth flows (with token scopes shown) or that explicitly declare the env vars they need. If the author can't explain how authenticated features are implemented, treat the skill as risky and avoid granting it account access.Like a lobster shell, security has layers — review code before you run it.
latestvk9734vggvzpq13cackn5w4jxb184qyca
License
MIT-0
Free to use, modify, and redistribute. No attribution required.