Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
淘宝返利
v1.0.1返利宝统一技能。只按 3 个用户场景工作:S01 授权与教程、S02 链接返利、S03 商品搜索。用户说“返利”“教程”“详细教程”“提现教程”“提现10元”“确认提现”“我已授权”“账户余额”等走 S01;发送淘宝、京东、拼多多商品链接走 S02;表达想买什么商品时走 S03。S03 的职责是提取商品搜索信息,...
⭐ 0· 64·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (淘宝返利 / rebate assistant) aligns with the included scripts: link recognition, product search, rebate-link creation, balance and withdraw flows. However the implementation embeds hard-coded backend URLs (xiaomaxiangshenghuo.io.mlj130.com) and a web-based auth landing flow instead of requiring declared API credentials; that is plausible for this product but should have been documented in metadata (homepage, required endpoints).
Instruction Scope
SKILL.md directs the agent to invoke specific local CLI scripts and to return script stdout verbatim. The scripts themselves perform network calls to a rebate backend, resolve short links, save/load local openid bindings, and may ask the user to follow an external WeChat landing page. The instructions do not ask the agent to read arbitrary system files, but they do force returning third-party content unchanged and to provide auth URLs that embed a machine code — both increase privacy/anti-phishing risk.
Install Mechanism
There is no formal install spec (instruction-only), but SKILL.md documents build steps that run 'npm install' and 'npm run build' in the skill workspace. Running npm install will fetch packages from public registries (network fetch) and execute build scripts — this is a moderate-risk install path that is not captured in the skill metadata. The distributed bundle already contains many JS files, but the documented build step should be treated as a potential supply-chain risk.
Credentials
The skill declares no required env vars or credentials, and instead relies on a machine-specific code and a web-based WeChat auth flow (machinecode passed as query parameter to an external auth URL). While not requesting user secrets directly, the skill will cause the user to visit/authorize on an external site and stores an openid binding locally — reasonable for this service but disproportionate to the lack of any documented backend or homepage. Hard-coded external URLs and implicit trust in that backend raise privacy/credential risks (exfiltration of machine code / openid).
Persistence & Privilege
The skill does not request 'always: true' and does not appear to modify other skills or global agent settings. It persists a local 'machineCode' and openid binding within its workspace (expected for an auth flow). Autonomous invocation is enabled by default (normal) and not in itself flagged here.
Scan Findings in Context
[HARDCODED_URL] unexpected: Multiple hard-coded URLs point to https://xiaomaxiangshenghuo.io.mlj130.com (authlogin.html, follow.html, rebate-details.html). A rebate backend is expected, but the domain is not documented in the skill metadata/homepage and is not a widely-known vendor — treat as suspicious unless the operator/public source is verified.
[NETWORK_CALL] expected: scripts call requestRebateV1Json to POST endpoints like /v1/product/search, /v1/rebate/link/create, /v1/withdraw/apply. Network calls to a rebate API are expected for this functionality.
[MODEL_CALL] expected: productSearch.js and fuzzy/precise intent extractors call requestModelJson to run model-based slots extraction. Using an LLM for intent/slot extraction is expected and consistent with the skill's purpose.
[LOCAL_PERSISTENCE] expected: Code saves and loads a local openid binding and machine code (getOrCreateMachineCode, loadLocalOpenidBinding). Persisting an authorization token locally is expected for an OAuth-like binding flow, but users should be aware where this is stored.
What to consider before installing
This skill appears to implement a typical rebate/link workflow (recognize links, search products, generate rebate links, and handle withdraws), but it depends on an external backend hosted at xiaomaxiangshenghuo.io.mlj130.com that is not documented in the skill metadata. Before installing or enabling the skill: 1) Verify the backend/service owner (homepage, source repo, or vendor) to ensure you trust that domain; 2) be cautious about performing the 'WeChat authorization' flow the skill prompts — it will send a machine-specific code to that third-party site and may bind your openid; 3) avoid running the documented 'npm install' build step in a privileged environment — prefer inspecting the bundled code or running in an isolated sandbox; 4) review what personal identifiers you will expose (machine code, openid) and where local binding files are stored; 5) if you can't validate the backend and operator, consider not installing or running the skill. If you want, I can help: a) enumerate the exact network endpoints the code calls, b) search public records for the domain owner, or c) point out exactly which files implement the auth flow so you can review them line-by-line.Like a lobster shell, security has layers — review code before you run it.
latestvk97bnqpwr0yzg1fb4e5hze5cs984nnmm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.