v1.0.0

C2C Platform Skill System

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:08 PM.

Analysis

This instruction-only skill matches its C2C-platform purpose, but it asks an agent to process broad personal, payment, IM, and profiling data and to produce automated user-facing ranking rules, so it should be reviewed carefully before use.

GuidanceInstall or use this skill only if you are authorized to process the platform data it describes. Prefer anonymized or minimized datasets, do not provide live credentials unless absolutely necessary, and require human approval before any outputs change rankings, moderation, payouts, user messaging, or production business rules.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

references/C2-content.md

C2-17 条目质量评分体系: AI自治度: ⬛；低质条目降权与预警规则；质量分与搜索排序/推荐曝光的权重映射关系

The skill allows fully automatic generation of rules that can affect listing quality scores, downranking, search ordering, and recommendation exposure.

User impactIf these outputs are applied directly, service providers or listings could be promoted, demoted, or flagged without clear human review.

RecommendationRequire human approval, audit logging, testing, and rollback plans before applying ranking, moderation, or exposure changes in production.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

references/C4-analytics.md

C4-01 交易数据采集与清洗: 订单事件流含 user_id, provider_id；支付事件流含 amount, status；易点流水含 withdraw/freeze/unfreeze, balance_after

The analytics workflow depends on privileged transaction, payment, and virtual-currency ledger data.

User impactThis is expected for a transaction-platform analytics skill, but misuse or over-sharing could expose financial activity and account-level history.

RecommendationProvide least-privilege exports rather than live credentials, mask identifiers where possible, and verify that the agent is authorized to handle the data.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityHighConfidenceHighStatusConcern

references/C1-intelligence.md

C1-16 用户画像采集: 注册信息、浏览记录、发单/接单记录、搜索关键词、IM沟通记录；年龄、性别、职业、收入区间（推断）；AI自治度: ⬛

This directs the agent to fully automate profile generation from private behavior, communications, demographics, and inferred income.

User impactIf live platform data is provided, the agent could process highly sensitive user information and create reusable profiles across tasks.

RecommendationUse only authorized, minimized, de-identified datasets; require privacy/legal review and human approval before using profile outputs.

Memory and Context Poisoning

SeverityHighConfidenceHighStatusConcern

references/C5-knowledge.md

C5-30 知识图谱构建: 业务实体关系（用户↔订单↔服务商↔条目↔易点↔完成码↔信用分↔3级分销链）；Neo4j/RDF格式

This proposes a persistent graph that links sensitive user, transaction, virtual-currency, credit, and referral-chain data for later reuse.

User impactSensitive platform data could become long-lived agent context or knowledge-base material beyond the original task.

RecommendationDefine access controls, retention limits, deletion procedures, and redaction rules before creating any persistent graph or reusable knowledge base.