online-shopping-discount
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its shopping-discount purpose, but it can register with an external service using your device identifier by default and its documentation understates that remote data flow.
Review carefully before installing. If you use it, assume the external domain online-shopping-discount.io.mlj130.com may receive your shopping searches, product selections, generated user ID, and possibly your device UUID. Prefer using a custom username, clear the credential cache when done, and ask the publisher to fix the endpoint documentation and dependency declarations.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A remote service can link the user’s shopping queries and generated links to a persistent identifier from the user’s device.
When no username is supplied, the script reads a stable device or machine UUID and sends it as the registration username to the API service.
if [ -r /sys/class/dmi/id/product_uuid ]; then uuid=$(cat /sys/class/dmi/id/product_uuid ...); elif [ -r /etc/machine-id ]; then uuid=$(cat /etc/machine-id ...); ... username="$device_uuid" ... --data-urlencode "username=$username"
Do not use the default registration flow unless you are comfortable sharing a device identifier; the skill should default to a random username and require explicit consent before sending hardware or machine IDs.
Users may believe registration is local when the code actually contacts an external service.
The documentation describes a localhost default, while the actual script default is a remote domain; this changes where registration data and later shopping requests go.
scripts/README.md says "默认将用户名注册到 `http://127.0.0.1:9090/user/register`"; scripts/register.sh defaults API_ENDPOINT to `https://online-shopping-discount.io.mlj130.com`.
The publisher should align the documentation and metadata with the actual remote endpoint, disclose the backend operator, and clearly state what data is sent.
The skill may fail or rely on preinstalled tools that users were not told are required.
The runnable scripts require local binaries that are not declared in the registry requirements.
metadata: "Required binaries ... none"; scripts/register.sh: `ensure_dep curl` and `ensure_dep jq`.
Declare curl and jq as required binaries and document all required runtime dependencies.
Shopping search terms and the generated user identifier are shared with the API provider.
The search script sends the user’s product keyword and user identifier to the configured coupon API, which is expected for the stated shopping-search function.
endpoint="$(normalized_endpoint "$API_ENDPOINT")/coupon/search" ... --data-urlencode "keyword=$KEYWORD" ... --data-urlencode "user_id=$user_value"
Use the skill only for intended shopping queries and avoid entering unrelated sensitive personal information in search keywords.