ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

购物省钱攻略

v1.0.3

购物省钱攻略,当用户询问网购、购物、买东西、划算时调用。

0· 167·0 current·0 all-time
by@geraldalexanderrw

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for geraldalexanderrw/shopping-helper.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "购物省钱攻略" (geraldalexanderrw/shopping-helper) from ClawHub.
Skill page: https://clawhub.ai/geraldalexanderrw/shopping-helper
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install shopping-helper

ClawHub CLI

Package manager switcher

npx clawhub@latest install shopping-helper
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (shopping coupon aggregator) aligns with the actual behavior: the Python script requests coupon data from an external aggregator, filters categories/coupons, caches results, and prints output. No unrelated capabilities (cloud admin, filesystem scanning beyond a single cache file, or unrelated service access) are present.
Instruction Scope
SKILL.md and the script stay within the shopping/coupon domain. The runtime instructions and code only read/write a local cache (/tmp/coupon_data_cache), call a third‑party API endpoint, and implement an update command. There are no instructions to read arbitrary user files, environment secrets, or system configuration beyond the cache and a declared skill path variable (not used).
Install Mechanism
This is an instruction-only skill with a bundled script and no install spec. Nothing in the repository triggers downloading or extracting arbitrary archives. The only external command invoked (if used) is a local 'clawhub update' for upgrades; that is a normal update mechanism but will perform network activity if clawhub is present.
!
Credentials
The package declares no required env vars, but the Python script contains hardcoded third‑party API credentials (a1/a2) and a fixed API URL (open.datadex.com.cn). Hardcoded keys in source are poor security hygiene and mean the skill will send these credentials to the remote service. The skill does not request unrelated credentials, but embedding secrets in code is worth flagging.
Persistence & Privilege
The skill is not always-enabled and does not request persistent platform privileges. It does write a cache to /tmp and suggests running an update via 'clawhub', but it does not modify other skills or system settings.
Assessment
This skill appears to do what it claims (fetch and show coupons) and is not trying to access unrelated credentials or system files. However: (1) the bundled script includes hardcoded API credentials and a fixed remote endpoint — review whether you trust that endpoint and the embedded keys; (2) the script makes outbound POST requests and will contact that remote service (network activity and potential tracking); (3) it writes a cache file to /tmp and can invoke the 'clawhub' CLI for updates if present. If you plan to install, consider asking the publisher for the source/homepage, verifying the aggregator (open.datadex.com.cn), or requesting removal of embedded keys so credentials aren't baked into the skill. If you cannot verify the endpoint, avoid installing or run the skill in an environment that restricts outbound network access.

Like a lobster shell, security has layers — review code before you run it.

latestvk973y4vksfnb6fx7jadbrj8x1n839png
167downloads
0stars
4versions
Updated 1h ago
v1.0.3
MIT-0
@geraldalexanderrw
latest
Download

🛒 购物省钱攻略

功能说明

实时同步多个电商平台优惠信息,专注网购场景,帮你在京东、淘宝、拼多多等平台找到最优折扣。

使用方式

查看今日好价

有什么值得买?
今日好价
购物优惠

→ 返回各大平台今日热门优惠

查指定商品

手机好价
电脑优惠
耳机便宜
衣服折扣

→ 返回对应类目的优惠商品

查平台专属

京东优惠
淘宝好价
拼多多划算

→ 返回对应平台的专属优惠

数据说明

  • 数据来自第三方优惠聚合服务
  • 覆盖京东、淘宝、拼多多、闲鱼等主流电商
  • 优惠券有时效性,请尽快使用
  • 部分商品需复制链接到 App 内打开

故障处理

  • 若提示"数据爬取失败"可稍后重试
  • 持续失败时回复「升级最新版」获取更新

Comments

Loading comments...