Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
唯品会返利管家
v0.1.0唯品会购物返利与订单管理工具,追踪唯品会返利订单状态,统计品牌特卖省钱金额,管理唯品券使用。
⭐ 0· 34·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to '同步唯品会返利订单' (sync VIPShop rebate orders) and provide lifecycle tracking and reminders. However, the SKILL.md and registry metadata declare no authentication method, no required API keys, and no config paths. It's unclear how the skill expects to access user order data (official API/OAuth, user-supplied export, web scraping, or manual entry). This mismatch is a usability/authorization gap that could be benign (left intentionally vague) or indicate missing design details.
Instruction Scope
The SKILL.md is high-level and only describes features and output formats; it does not instruct the agent to read system files, environment variables, or perform network calls to any specific endpoint. The instructions are vague about how data is obtained, stored, or transmitted, which grants broad implementation freedom and creates an information gap for security review.
Install Mechanism
No install spec and no code files — instruction-only. This is lower risk because nothing is automatically written to disk by the skill package itself.
Credentials
The skill declares no required environment variables or credentials. Given its purpose (accessing user orders and notifying about rebates/coupons), some form of authentication or access to user data will be required at runtime. The lack of declared credentials is not necessarily malicious but is an important omission: you should ask how authentication and data access are handled before using it.
Persistence & Privilege
The skill does not request 'always: true' or other elevated persistent privileges. It is user-invocable and allows normal autonomous invocation (platform default). Nothing in the metadata indicates it modifies other skills or system-wide settings.
What to consider before installing
Before installing or using this skill, ask the publisher: (1) How will it access your 唯品会 account/orders? (official API with OAuth, cookies, manual paste, or scraping?) (2) Where and how is your order data stored and for how long? (local only, platform storage, third-party services?) (3) What authentication tokens or credentials will you be asked to provide in-chat — never paste passwords in public chat; prefer short-lived OAuth tokens if supported. Because the SKILL.md is high-level and declares no auth mechanism, treat it as incomplete: only proceed if the author documents a safe, minimal authentication flow (e.g., OAuth or manual exports) and you trust the source. If in doubt, do not share account passwords or cookies; instead use exports or anonymized data for testing.Like a lobster shell, security has layers — review code before you run it.
latestvk97cc3jt3nctkmby6f9ax1pzex83s7v5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.