Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
高佣联盟返利助手
v0.1.0高佣联盟CPS聚合返利工具,以高佣金比例为核心优势,覆盖淘宝京东拼多多美团等多平台返利和社交裂变推广。
⭐ 0· 36·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to aggregate CPS data from Taobao, JD, Pinduoduo, Meituan, etc., which normally requires platform affiliate accounts, API keys, or partner integrations; the manifest declares no credentials, config paths, or required binaries. That omission is an incoherence (could be an oversight or indicates the skill expects the agent to scrape or otherwise access services without explicit credentials).
Instruction Scope
SKILL.md is an outline of features and an output format but contains no concrete runtime instructions (no API endpoints, no commands, no guidance on where data comes from). The lack of defined runtime behavior is vague and gives the agent broad discretion to choose how to obtain prices/links (API calls, scraping, asking the user), which is a potential risk if not clarified.
Install Mechanism
This is an instruction‑only skill with no install spec and no code files, so nothing will be written to disk at install time. That minimizes install-time risk.
Credentials
No environment variables or primary credential are declared, yet real functionality (querying platform CPS/creating promotion links, settlement) typically requires secret API keys or affiliate credentials. The absence of declared credentials is disproportionate to the claimed capabilities and should be explained.
Persistence & Privilege
always is false and the skill is user-invocable with normal autonomous invocation allowed. There are no requests to modify other skill configurations or to persist system-wide settings.
What to consider before installing
Before installing, ask the author to explain exactly how the skill gets commission/pricing data and generates promotion links: which platform APIs or accounts are used, what credentials (if any) it will request, and whether it will store or transmit affiliate earnings or user data. Prefer a version that declares required environment variables (affiliate API tokens) and limits them to read-only affiliate scopes. Beware if the skill later asks for unrelated secrets (e.g., cloud credentials, email/password). Also confirm whether the implementation uses official APIs (recommended) or web scraping (may violate platform ToS). Because this skill is instruction-only and has no code to inspect, insist on a clear runtime spec or source code before trusting it with credentials or financial actions.Like a lobster shell, security has layers — review code before you run it.
latestvk97aedbvqfze5n3frmepx9r3bx83r0k2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.