Ai Promotion Query
AdvisoryAudited by Static analysis on May 9, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may allow the connected OpenAPI workflow to read promotion data from the currently logged-in Tencent Musician account for the token lifetime.
The skill uses a logged-in Tencent Music account token to access current-user promotion data. This is expected for the stated purpose, but it is a persistent account credential even though registry metadata lists no primary credential.
首次使用会弹出浏览器扫码登录,Token 有效期约 30 天 ... 遇到 `UNAUTHORIZED`,引导用户删除 `~/.tme-login/token.json` 后重跑
Use it only if you trust the associated tme-openapi skill and are comfortable with the TME login. Delete `~/.tme-login/token.json` to revoke the local session if needed.
If the wrong operator were selected, the agent could query unintended TME API data, though the provided instructions target read-only promotion data queries.
The skill delegates backend access to a generic API discovery and invocation flow. The documented use is limited to promotion-query operators, but the user should know the agent is selecting and invoking API operators dynamically.
`search_apis` / `get_api_detail` / `invoke_api` ... 真正发起业务调用(同步返回结果) ... 不硬编码任何 `operatorCode` 或参数结构
Keep API invocation limited to the documented promotion overview and song-metric operators, and require explicit user approval before any non-query or account-changing API action.
The security of the actual API calls depends on the separate tme-openapi skill installed in the environment.
This package is instruction-only and relies on another skill's scripts that are not included in the supplied artifacts, creating a dependency/provenance item for users to verify.
本 Skill 不自带 API 调用脚本,所有 TME OpenAPI 算子的发现与调用都委托给 `tme-openapi` Skill ... 脚本位于同级目录 `../tme-openapi/scripts/`
Review or install tme-openapi only from a trusted source, and confirm it handles tokens and API calls as described.
Account promotion data may be processed across multiple skills before a final answer is shown.
Promotion metrics are intended to flow between this skill, an upper agent, the tme-openapi skill, and a structured-output skill. This is disclosed and purpose-aligned, but those other components are outside the provided review set.
本 Skill 的输出是上层 Agent(`ai-promotion/readme.md`)的内部数据依据,不直接面向用户。最终...通过 `宣推结构化输出` skill 输出
Ensure all referenced companion skills are trusted and avoid sending promotion metrics to unrelated tools or agents.