Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
芬香返利助手
v0.1.0芬香京东系社交电商返利工具,专注京东平台商品推广和佣金返利,支持京东优惠券查找和社群推广。
⭐ 0· 33·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name and description describe an affiliate/返利 tool tightly integrated with 京东 (coupon aggregation, commission tracking, promotion link generation). However, the skill declares no required APIs, credentials, or endpoints — functionality described normally requires partner API keys or merchant credentials. The lack of declared dependencies or credentials is disproportionate to the claimed capabilities.
Instruction Scope
SKILL.md is high-level and contains trigger words and an output template but no concrete runtime instructions (no API endpoints, no commands, no guidance on where to fetch coupons or how to generate promotion links). That vagueness grants the agent broad discretion (e.g., it may attempt web scraping, ask the user for credentials, or call external services) without constraints. The instructions do not explicitly request or forbid reading local files or asking for secrets.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes installation risk because nothing is written to disk during install.
Credentials
No environment variables, credentials, or config paths are declared. Given the described features (affiliate links, commission tracking, settlement, withdrawals), one would normally expect required credentials (京东联盟 API keys, partner tokens, or third-party service keys). The absence of declared secrets is a mismatch and could lead to the skill asking users for credentials at runtime or attempting unauthenticated scraping.
Persistence & Privilege
always is false and model invocation is enabled (default). Autonomous invocation is permitted (normal), and there is no indication the skill requests elevated persistence or system-wide configuration changes.
What to consider before installing
This skill's description promises deep 京东 integration but provides no implementation details, source, or required credentials. Before installing: ask the author for (1) a source repo or homepage and proof of 京东 partnership, (2) the exact APIs/endpoints and what credentials (if any) the skill needs, and (3) whether the skill will ever ask you to paste API keys or perform web scraping. Do not paste any API keys, tokens, or passwords into a chat unless you trust the source and understand the minimum required scopes. Prefer skills that declare required environment variables and have a reputable source. If you still try it, run the skill with limited privileges and monitor network/activity for unexpected requests.Like a lobster shell, security has layers — review code before you run it.
latestvk97bwt12k70eyxvj1g1bnew2pd83s9fp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.