Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
美逛返利助手
v0.1.0美逛社交电商导购返利工具,聚合多平台优惠券和返利,提供商品推广素材和社群运营支持。
⭐ 0· 37·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name and description promise aggregation of Taobao/JD/PDD coupons, affiliate link conversion, and scheduled community posting. Those capabilities normally require access to external APIs, affiliate account credentials, or web-scraping tooling. The skill declares no binaries, installs, or required credentials, which is an inconsistency (could be an instruction-only helper that asks users for data at runtime, but that's not stated).
Instruction Scope
SKILL.md is high-level and contains only capability descriptions and an output format. It does not instruct the agent to read system files, access environment variables, or call specific endpoints — which limits immediate risk — but it is vague about how to obtain or use platform data, meaning the agent may ask the user for credentials or perform ad-hoc web access at runtime.
Install Mechanism
No install spec and no code files are present. Instruction-only skills have minimal installation risk because nothing is written to disk, which matches the declared manifest.
Credentials
The declared requirements list no environment variables or credentials, yet features like '自动转链' (automatic link conversion) and multi-platform coupon aggregation typically require affiliate API keys, cookies, or account tokens. The absence of declared credential requirements is disproportionate to the claimed functionality and may indicate the skill will prompt for or expect sensitive credentials at runtime.
Persistence & Privilege
The skill does not request elevated persistence (always:false) and does not declare modifications to other skills or system config. Autonomous invocation is allowed by default but not by itself a red flag here.
What to consider before installing
This skill's description promises features that normally need affiliate/API credentials and concrete integration steps, but it declares none. Before installing or using it: 1) Ask the publisher how the skill will obtain coupon data and generate affiliate links (will it prompt you for API keys or cookies?); 2) Do not paste account tokens, cookies, or API keys into the skill until you confirm how they are stored/used; 3) Prefer skills that explicitly list required environment variables and installation steps or provide a privacy/security policy; 4) Test with non-critical accounts or dummy credentials first. If the author cannot explain how external platform access is performed, treat the skill with caution.Like a lobster shell, security has layers — review code before you run it.
latestvk972s5p6mw0apdgs7p85wk771983t1jg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.