Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description promise QR payments, transfers and aggregated bank-card offers and the SKILL.md claims '亚小时级同步' with market data and personal bills. However the skill is instruction-only with no code, no install spec and no declared credentials — it cannot actually perform syncing, access user accounts, or execute transfers as described.
Instruction Scope
SKILL.md is high-level guidance and a response schema (fields to return, example prompts). It does not include instructions on how to access bank/UnionPay APIs or user account data, yet it asserts continuous syncing of personal bills — this is vague scope creep and implies access the skill does not declare or provide mechanisms for.
Install Mechanism
No install spec and no code files are present, so there is no download/installation risk from this package itself.
Credentials
Functionality described (transaction exports, account syncing, transfers) would normally require bank/API credentials and possibly OAuth tokens. The skill declares no required environment variables, credentials, or config paths — the requested access is therefore disproportionate or simply missing.
Persistence & Privilege
always:false and no special config or system paths are requested. The skill does not request persistent/system-level privileges in the provided metadata.
What to consider before installing
This package is just a high-level guide — it claims realtime syncing and transactional capabilities but provides no code, no integrations, and asks for no credentials. Before installing or using it: (1) ask the author how syncing is implemented, which APIs/endpoints are used, and where any credentials would be stored; (2) do not provide bank credentials or tokens to an unknown skill; (3) prefer skills that explicitly declare required env vars, OAuth flows, and a vetted install mechanism if they need access to your accounts; (4) if you need real payment/transfer automation, use official bank/UnionPay apps or thoroughly-audited integrations. The current package is inconsistent and should be treated cautiously.Like a lobster shell, security has layers — review code before you run it.
latestvk975jx9va9q17a9t2e5y5xbkvh835v8t
License
MIT-0
Free to use, modify, and redistribute. No attribution required.