Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
券返双省助手
v0.1.0优惠券+返利叠加省钱工具,自动查找可用优惠券并匹配最高返利渠道,双重叠加实现省钱最大化。
⭐ 0· 44·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (find coupons + match rebates) aligns with the SKILL.md goals. However, tasks like identifying '隐藏券' (hidden coupons) and '匹配最高返利渠道' typically require integration with affiliate/rebate networks or access to user account/session data; the skill declares no credentials, APIs, or integration points to legitimately perform those actions.
Instruction Scope
The SKILL.md gives high-level commands: '自动搜索', '持续追踪', '时效提醒' without describing how to search (APIs, scraping, or requiring user session/cookies) or limits on what to access. That vagueness grants the agent broad discretion and could lead to actions outside the user's intent (scraping sites, asking for credentials, reading browser/session data) even though none of those data sources are referenced explicitly.
Install Mechanism
Instruction-only skill with no install spec and no code files. This is lower-risk because nothing is written to disk by a provided installer.
Credentials
The skill requests no environment variables or credentials, yet several core features (affiliate/rebate channel access, hidden-coupon APIs, sending reminders) normally require API keys, affiliate IDs, or account credentials. The absence of any declared secrets or config is an inconsistency worth clarifying.
Persistence & Privilege
The SKILL.md promises '持续追踪' and '时效提醒' (ongoing tracking and expiry reminders) but the skill is not marked always:true and provides no mechanism for scheduling or persistent monitoring. This is a functionality/privilege mismatch that should be explained (e.g., whether reminders require user-to-run checks, external scheduler, or platform support).
What to consider before installing
Before installing, ask the skill author: (1) exactly how it discovers 'hidden coupons' and rebate channels (APIs, affiliate partners, or web scraping); (2) whether it needs your account credentials, browser cookies, or affiliate tokens — and where those would be stored; (3) where coupon/rebate data is fetched from and whether any third-party endpoints receive your product or account data; (4) how 'continuous tracking' and reminders are implemented (does it run background jobs or rely on you to invoke it); and (5) whether there's a privacy policy or data-handling statement. Do not provide login credentials, cookies, or secret tokens unless you trust the author and they explicitly declare and justify the required environment variables and storage behavior. If the author cannot clarify these points, treat the skill cautiously or test it only with non-sensitive examples.Like a lobster shell, security has layers — review code before you run it.
latestvk97519q4dt168sx5ga020sy8n183q9j7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.