Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
好省返利助手
v0.1.0好省社交电商CPS导购工具,通过口令制分享模式,提供淘宝京东拼多多多平台返利查询和优惠券推广。
⭐ 0· 32·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to query Taobao/JD/Pinduoduo, generate platform-specific口令 (referral codes), and show commission dashboards. Those capabilities normally require platform APIs, affiliate/partner credentials, or scraping code and network endpoints. The skill declares no required env vars, no primary credential, no config paths, and no binaries — this is inconsistent with the stated purpose and suggests missing or omitted integration details.
Instruction Scope
SKILL.md contains high-level feature descriptions and output format but provides no concrete runtime instructions (no API endpoints, no HTTP calls, no CLI commands, no handling of credentials). The prose is open-ended — it grants broad discretion about how to obtain data (e.g., web scraping vs official APIs) and does not constrain where or how data is transmitted, which increases ambiguity about what the agent would actually do at runtime.
Install Mechanism
There is no install specification and no code files — this is an instruction-only skill. That reduces immediate filesystem/install risk because nothing will automatically be downloaded or written during installation.
Credentials
The skill requests no environment variables or credentials, yet its functions (affiliate/referral generation, commission dashboards, team management) normally require affiliate IDs, merchant API keys, or third‑party tokens. The absence of declared credentials is disproportionate to the declared functionality and could mean required secrets would be requested later in unclear ways.
Persistence & Privilege
The skill is not marked always:true and does not request system-level persistence. Default autonomous invocation is allowed (platform default) but there is no evidence the skill tries to modify other skills or agent-wide settings.
What to consider before installing
This skill is currently a high-level plan rather than a concrete implementation. Before installing or enabling it, ask the author for: (1) precise integration details — which APIs or endpoints will it call and from which domains; (2) what credentials/affiliate IDs are required and how those are stored/used; (3) whether it will perform web scraping and what rate/targets; (4) where generated口令 (referral codes) are created and whether they include your affiliate IDs; (5) a data flow explanation showing what user data is collected, transmitted, or stored and where (including any third-party servers). If you must try it, do so in a restricted/sandboxed environment and do not supply any production affiliate keys or sensitive credentials until you see clear, verifiable implementation details. Because the skill is vague about network activity and credentials, treat it as untrusted until those questions are answered.Like a lobster shell, security has layers — review code before you run it.
latestvk97ar6wzxa54y3ap17k9rh3qf583sfr1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.