Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Pinduoduo Automation
v2.0.2拼多多管家支持商品管理、订单处理、数据分析、竞品监控及智能定价,助力店铺运营自动化和销售优化。
⭐ 2· 713·4 current·4 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md claims extensive capabilities (商品管理, 订单处理, 竞品监控, 智能定价, 报表/自动化), but the repository contains only two small placeholder shell scripts and a config template. There are no binaries, no implementation of the CLI commands referenced (e.g., `pinduoduo-automation daily-report`, `diagnose`, `test-connection`), and many files referenced in the file tree (product_manager.sh, order_processor.sh, data_analyzer.sh, pricing_engine.sh, README.md) are missing. The declared functionality is disproportionate to the actual artifacts included.
Instruction Scope
Runtime instructions tell the user to edit a config file under ~/.openclaw/workspace/skills/... and run named CLI commands, but the package contains no executable or entrypoint implementing those commands. The two provided scripts are inert placeholders that only echo TODO content and one writes a static report with zeros. The SKILL.md also asserts encryption of API keys and logging practices, but no mechanism or scripts to implement those security features are present. Instructions are therefore misleading and grant the agent wide discretion without concrete implementation.
Install Mechanism
There is no install specification (instruction-only with a couple of small scripts). That is low-risk from an automatic install perspective because nothing is automatically downloaded or executed during install.
Credentials
No environment variables or credentials are required by the registry metadata, but config.yaml includes fields for app_key, app_secret, and access_token (expected for an API-integrated ecommerce tool). This is not inherently excessive, but the skill does not declare or implement secure storage or an expected method for those secrets; SKILL.md claims encrypted storage but provides no code to perform it. Also the absence of declared required env vars while a config file expects Secrets may confuse users.
Persistence & Privilege
The skill is not always-enabled and is user-invocable (defaults). It makes no request to change other skills or system-wide settings. There is no install-time persistence mechanism in the package.
What to consider before installing
This package appears to be an incomplete or placeholder 'Pinduoduo automation' skill rather than a working product. Before installing or providing any API keys: 1) Ask the author for the canonical source repository or release that implements the CLI and encryption/logging claims; 2) Do not paste real app_key/app_secret/access_token into the config.yaml until you confirm how they are stored/used; 3) Verify the presence of actual network/HTTP client code that talks to open.pinduoduo.com and review it for secure handling of credentials; 4) Because the skill references a paid model and payment account setup, confirm the vendor and payment flow externally rather than via these files; 5) If you want to test, run it in an isolated environment (no production credentials) and expect the current scripts to only generate static demo reports. The inconsistencies could be benign (work-in-progress) but also mean the package is not yet suitable for real use.Like a lobster shell, security has layers — review code before you run it.
latestvk9775kpv0g3xq551t62gn27y0d81yxjz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.