ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

跳舞兰订花平台,全国2-24小时送花到家

v1.0.1

跳舞兰订花技能。用户说"订花"、"买花"、"送花"、"浏览花束"、"花束推荐"、"花店"、"选一束花"等意图时触发。支持:商品浏览(关键词/分类/价格筛选)、商品详情查看(图片+价格)、智能推荐(按场合/收花人/预算)、下单、订单确认

0· 22·0 current·0 all-time
by@piaoleaf
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (flower shop, browsing, recommending, ordering) matches the provided assets and instructions: products.json contains 44 items and SKILL.md describes search, recommendation, display and ordering workflows that operate only over that data.
Instruction Scope
Instructions are narrowly focused on browsing the provided products and placing orders. They explicitly require collecting recipient name, phone, address, message, and optional delivery time (expected for an ordering flow). The SKILL.md tells the agent to call an external API (https://piaoleaf.tiaowulan.com/api/trade/CreateOrder) via curl/exec to submit orders and to convert the returned payment URL into a QR code. Collecting and transmitting PII to that endpoint is expected for ordering, but it is a sensitive action the user should be aware of.
Install Mechanism
Instruction-only skill with no install spec and no code files to write to disk. Lowest-risk installation surface.
Credentials
The skill requests no environment variables or credentials (proportionate). However, it requires collecting personal data (name, phone number, full address) and will send those fields to an external domain when creating an order — this is functionally necessary but privacy-sensitive. No undeclared env vars or unrelated service credentials are requested.
Persistence & Privilege
always:false and default autonomous invocation are set (normal). The skill does not request persistent system-wide privileges or modify other skills' configs.
Assessment
This skill behaves like a normal web-based flower-ordering assistant and is internally coherent, but it will collect sensitive personal data (recipient name, mobile number, full delivery address, message) and POST that data to https://piaoleaf.tiaowulan.com/api/trade/CreateOrder. Before installing or using it, consider: 1) Do you trust that external domain and its privacy/security practices? 2) Avoid submitting real personal data in testing — use dummy values first to confirm behavior. 3) Verify how the returned payment URL is handled (the skill asks you to convert it into a QR code); confirm QR generation does not leak the URL to a third-party service you don't trust. 4) Note the curl example uses an application/x-www-form-urlencoded header while embedding a JSON string — this may cause request-format issues; expect minor debugging. If you need stronger assurances, ask the publisher for a privacy policy or an official API specification for piaoleaf.tiaowulan.com.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e3qq2eqaxjzxqv97n850w1184wdf0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments