Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Honey优惠券助手
v0.1.0Honey(PayPal旗下)浏览器优惠券自动应用工具,自动在结算时测试所有可用优惠码,并提供Honey Gold返利积分。
⭐ 0· 45·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's name and description describe browser-extension behavior (auto-test/apply coupons at checkout, interact with merchant pages, track prices, and credit Honey Gold). However, the package is instruction-only with no install spec, no required binaries, no declared browser integration, and no credentials. Performing the claimed actions would normally require browser extension permissions, access to checkout pages, or API credentials; those are absent, making the claimed capabilities inconsistent with the skill's actual footprint.
Instruction Scope
SKILL.md is high-level and reads like a feature spec (trigger words, output format) rather than concrete runtime instructions. It does not instruct the agent to read files, access environment variables, or call external endpoints, but it is vague about how the agent should implement 'automatic coupon testing' or 'price tracking'. That vagueness grants broad implementation freedom and could hide attempts to gather browsing or payment data if implemented later.
Install Mechanism
There is no install specification and no code files — this is instruction-only. From an installation point of view this is low risk because nothing will be downloaded or written by the skill as provided.
Credentials
No environment variables, credentials, or config paths are declared. Yet the described functionality would normally require access to the browser context, possible session/cookie data, or integration with Honey/PayPal APIs. The absence of any requested permissions or credentials is disproportionate to the claimed capabilities and suggests either the skill is purely informational or it's incomplete/misleading about required access.
Persistence & Privilege
The skill does not request persistent 'always' inclusion and does not declare any modifications to other skills or system settings. Autonomous invocation is permitted by default on the platform, but that alone is not a concerning privilege in this package.
What to consider before installing
This skill looks like a product/feature description rather than a working integration. Before installing or using it: 1) Ask the publisher for source code or a browser-extension manifest and an explanation of how it accesses checkout pages and Honey/PayPal services. 2) Verify the publisher and prefer official Honey/PayPal extensions listed in the browser store. 3) Do not provide PayPal, payment, or browser account credentials unless you can review the code and trust the publisher. 4) If the skill later asks for permissions (cookies, session tokens, API keys), treat that as high risk and request a clear justification and code review. 5) If you only need coupon lookups or price advice, consider using documented public APIs or official browser add-ons instead of an opaque skill.Like a lobster shell, security has layers — review code before you run it.
latestvk9757qg3a0848a0hkew0mr3qp183pt06
License
MIT-0
Free to use, modify, and redistribute. No attribution required.