Skillv1.0.1

ClawScan security

拼多多返利 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 11, 2026, 7:20 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and runtime rules largely match a rebate/link-generation service, but there are several inconsistencies and privacy/phishing risks (external custom auth domain, enforced verbatim output of script results, and included executable scripts despite 'instruction-only' metadata) that warrant caution.
Guidance: This skill appears to implement the claimed rebate flows, but exercise caution before installing or authorizing it: 1) The skill directs users to a custom domain (xiaomaxiangshenghuo.io.mlj130.com) for authorization and following a public account — verify this service and its privacy policy before completing any authorization. 2) The skill requires execution of included Node scripts and will call remote APIs (search/create rebate/withdraw) and persist a local machine code/openid — do not provide sensitive credentials or payment info unless you trust the operator. 3) The SKILL.md forces returning script output verbatim (including links), so the assistant will not add safety warnings; be careful clicking links returned by the skill. If you need higher assurance, ask the publisher for a homepage, source/organization identity, or run the skill in a sandboxed environment and inspect network calls (or review common.js to see exact backend URLs) before authorizing any account bindings.

Review Dimensions

Purpose & Capability: noteSkill claims to be a unified rebate assistant (PDD/淘宝/京东) and the code implements link recognition, product search, lease/apply and withdraw flows that align with that purpose. Minor mismatch: registry name emphasizes 拼多多 but code supports tb/jd/pdd — not dangerous but worth noting.
Instruction Scope: concernSKILL.md enforces that script stdout must be returned verbatim and forbids adding any extra explanation. Scripts produce external URLs and user-facing auth/follow links; the combination prevents the assistant from adding safety/contextual warnings or sanitizing returned text. The runtime also requires executing scripts that may call remote APIs and return HTML/links directly to the user.
Install Mechanism: noteRegistry lists 'no install spec' (instruction-only) but the bundle contains many runnable Node scripts and build instructions in SKILL.md. That mismatch is noteworthy: the skill will execute code shipped with the package rather than being purely instruction-only; there is no package install URL but local scripts will be executed.
Credentials: concernNo declared environment variables or secrets, which is reasonable. However the code calls external rebate backend APIs (search, create rebate link, withdraw, etc.) and uses a custom domain (xiaomaxiangshenghuo.io.mlj130.com) for auth/follow/landing pages. The skill saves a local 'machine code' and openid binding — this stores user identifiers locally and exchanges them with the remote service. Users should verify the third-party domain before authorizing.
Persistence & Privilege: notealways:false. The skill persists local state (machine code, openid binding, pending auth requests) for its own flows but does not request system-wide privileges or modify other skills. That persistence is expected for an auth-flowed service, but combined with the enforced verbatim-return rule it increases risk of returning unvetted links.