Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
全网比价助手
v0.1.0全网商品比价工具,一键对比淘宝京东拼多多抖音等各平台同款商品价格,结合优惠券和返利计算真实最低到手价。
⭐ 0· 40·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and description match the SKILL.md functionality (search platforms, compare prices, include coupons/rebates). However, the skill claims to compute affiliate rebates (e.g., 淘宝联盟, 京东联盟) yet declares no required credentials or APIs — this is a partial mismatch (it could be estimating rebates from public pages, but precise rebate calculation often requires partner API access).
Instruction Scope
SKILL.md describes the steps at a high level ('自动在淘宝/京东/拼多多/抖音等搜索并获取实时价格、优惠券、返利') but gives no concrete method (official APIs, affiliate APIs, or scraping). This vagueness grants the agent broad discretion to scrape sites or call third‑party services, which may have privacy, accuracy, or TOS implications. The instructions do not direct the agent to read local files or environment variables, which is good, but they are open‑ended and may lead to undesired network activity.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk and there is no package installation step. This lowers technical installation risk.
Credentials
The skill requests no environment variables or credentials. That is safe from a secrets-exfiltration point of view, but it also creates a capability mismatch with the rebate/affiliate claims: accurate rebate calculation commonly requires affiliate tokens or API access, which are not declared. The absence of required creds could mean the skill will use heuristics or public scraping, which affects accuracy.
Persistence & Privilege
No special persistence requested (always:false), no installs, and normal autonomous invocation allowed. Nothing here grants elevated or permanent privileges.
What to consider before installing
This skill is coherent enough to try — it explains what it will produce and makes no demands for credentials or installs — but it is vague about how it obtains prices, coupons, and affiliate rebates. Before installing or relying on its results: 1) understand it may scrape public pages or call unspecified services (which can be inaccurate or violate platform TOS); 2) do not provide any affiliate/API keys unless the skill explicitly asks for them and explains how they are used; 3) validate price/rebate calculations on a few known items to judge accuracy; and 4) prefer a version that documents concrete data sources (official APIs or trusted aggregators) if you need reliable rebate amounts. If you want higher confidence, ask the author which APIs or methods it uses and whether providing affiliate credentials is required for accurate rebate computation.Like a lobster shell, security has layers — review code before you run it.
latestvk97fg2s8826v97n55exdkg29en83q7ma
License
MIT-0
Free to use, modify, and redistribute. No attribution required.