Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
多平台返利管家
v0.1.0多平台返利聚合管理,统一追踪各平台返利订单状态、到账进度,提供返利数据分析与省钱报告。
⭐ 0· 43·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The description promises cross‑platform account aggregation (淘宝联盟、京东联盟、多多进宝) and real‑time order syncing, which in practice requires platform credentials, API keys, OAuth flows, or cookie/session access. The skill declares no required environment variables, credentials, or config paths, which is inconsistent with the stated purpose.
Instruction Scope
SKILL.md is a high‑level product spec (features, reports, output format) but contains no runtime instructions about how to obtain/link accounts, which APIs to call, what endpoints to contact, or how alerts are delivered. It does not direct the agent to read unrelated system files or env vars, but it is underspecified and leaves sensitive decisions (how to collect credentials, where to send data) undefined.
Install Mechanism
No install spec and no code files are present (instruction‑only), so nothing will be written to disk or installed by default—this is the lowest install risk.
Credentials
To function as described the skill would need access to platform credentials or tokens. However, requires.env is empty and no primary credential is declared. This omission is a red flag: either the skill is only a conceptual spec, or it expects the agent to request sensitive credentials at runtime without describing the required types or scopes.
Persistence & Privilege
always:false and no install/install scripts are present. The skill does not request persistent system privileges or declare modifications to other skills or agent-wide settings.
What to consider before installing
Before installing, ask the developer for concrete implementation details: which platform APIs are used, exactly which credentials/tokens will be required, and the authentication method (OAuth with redirect, read‑only API keys, or requiring cookies/passwords). Request a privacy/data‑flow statement: where is user data stored, which external endpoints receive data, and how long tokens are retained. Prefer skills that use standard OAuth or scoped read‑only API keys and that publish source code or a trusted homepage. Never paste full account passwords or long‑lived cookies into a skill without confirming you can revoke them easily; if you test, use disposable accounts/keys. If the developer cannot supply clear answers and code or an audit trail, treat this skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk97drx3b9076vynkjjvvkz8g8x83qxje
License
MIT-0
Free to use, modify, and redistribute. No attribution required.