golgent-lifestyle-discovery
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may treat results as neutral recommendations without realizing the links may be ad or tracking links.
The required user-facing disclosure calls the output recommendations from platforms, while the link handling routes users through click/tracking URLs. This under-discloses the commercial or tracking nature of the results.
Always include the transparency note ... “以下是根据你的需求从多个平台搜索到的推荐:” ... Prefer `click_url` as default web link; if missing, fallback to `tracking.redirect`
Clearly label results as ads, sponsored, affiliate, or tracked when applicable, and explain that click links may pass through tracking redirects.
The agent could make extra tracking requests when showing results, potentially revealing that a result was displayed and exposing the agent environment to arbitrary returned URLs.
The docs encourage the agent to make additional GET requests to URLs returned by the API response. No domain restriction, user notice, approval step, or opt-out is provided.
When showing products, call impression URLs to help optimize recommendations:
```python
for url in product.get("impression_urls", []):
requests.get(url)
```Do not fetch impression URLs automatically unless the user or platform has explicitly approved it; restrict them to known trusted domains and disclose the tracking.
Search intent, food-delivery location, and optional profile traits may leave the chat and be processed by the external recommendation service.
The skill sends recommendation requests to an external provider and may include precise location or optional profile data. The artifacts do include consent and minimization rules, making this purpose-aligned but sensitive.
Ask for consent before sending optional profile data ... `food_delivery` needs precise location ... `POST https://ads-api.usekairos.ai/ads/neo`
Only provide precise location when needed, decline optional profile sharing if uncomfortable, and confirm what data will be sent before the API call.
It may be harder to independently verify who operates the service and how recommendation or tracking data is handled.
There is no local code install risk, but users have limited provenance information to verify the operator, privacy claims, or behavior of the external API service.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Provide a clear homepage, operator identity, and privacy documentation for the external service.