Back to skill
Skillv1.0.1
VirusTotal security
拼多多返利 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 11, 2026, 7:21 AM
- Hash
- fe85ac720eeffdc46b5c1d884db9cd1e931d65c5f2cacb37048a5282f2858766
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: pdd-rebate Version: 1.0.1 The skill bundle implements a rebate assistant that uses system-level calls (spawnSync with curl) in 'scripts/common.js' to perform network requests and fetch external HTML. It collects and persists sensitive identifiers, including the OpenClaw deviceId (as a machine_code) and user openids, which are transmitted to a remote service (rebate-skill.io.mlj130.com) to facilitate product searches and financial withdrawals. While these capabilities are consistent with the stated purpose of a rebate tool, the combination of system-level execution, financial transaction handling, and strict 'Hard Constraints' in 'SKILL.md'—which forbid the AI agent from adding any context or explanations to tool outputs—presents a high-risk profile that could be used to mask unauthorized actions or exploit the underlying system if input sanitization is bypassed.
- External report
- View on VirusTotal