Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
粉象生活返利助手
v0.1.0粉象生活CPS返利聚合平台工具,整合淘宝联盟、京东联盟、多多进宝等多平台佣金,支持自购省钱和分享赚钱双模式。
⭐ 0· 36·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose is to integrate official CPS/affiliate APIs (淘宝联盟、京东联盟、多多进宝、美团等) and perform actions like generating promotion links and viewing team commission data. Those capabilities normally require API credentials, affiliate IDs, and explicit integration steps; the skill declares none of these and requests no environment variables or config. This is inconsistent with the claimed functionality.
Instruction Scope
SKILL.md is high-level and describes intended features and output format but contains no runtime instructions, authentication flows, or allowed endpoints. The prose gives the agent broad, vague authority to '整合官方CPS接口' and '查看下级团队的推广数据' without constraints — that open-endedness grants the agent undue discretion and is a scope mismatch.
Install Mechanism
No install spec and no code files are present, so nothing will be written to disk during install. This reduces technical risk but does not address the functional incoherence between claimed capabilities and required credentials.
Credentials
The skill requires no environment variables or credentials, yet its functionality (CPS aggregation, link generation, team commission viewing) inherently needs affiliate API keys, client secrets, or platform accounts. Absence of declared credentials is disproportionate and unexplained.
Persistence & Privilege
The skill is not always-enabled and uses default invocation settings. It does not request system-level persistence or modify other skills' configuration.
What to consider before installing
This skill promises to connect to multiple affiliate networks and manage commission data but does not list any API keys, auth steps, or a homepage/source—that mismatch is the main red flag. Before installing or enabling autonomous use: (1) ask the publisher for a clear integration plan (which APIs, exact auth flows, what env vars or affiliate IDs are needed); (2) refuse to provide full account credentials—use read-only or scoped/test keys where supported; (3) disable autonomous invocation until you verify behavior; (4) request a privacy/security statement describing what user data is accessed and where promotion links are hosted; (5) prefer skills with a verifiable homepage or source repository and explicit install/auth instructions. If the publisher cannot justify how the skill will authenticate to the listed platforms, treat the skill as unsafe to enable.Like a lobster shell, security has layers — review code before you run it.
latestvk9757689kvwpfzbjvkr7knbs2h83rz8n
License
MIT-0
Free to use, modify, and redistribute. No attribution required.