Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ClawMart Customer Insights
v1.0.0分析客户行为和成交数据,提供客户分级、成交预测及个性化营销建议,助力精准跟进和转化提升。
⭐ 0· 229·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the SKILL.md: it asks for customer data sources (WeChat, email, CRM) and promises analysis, segmentation, and recommendations. There are no unrelated binaries, env vars, or config paths requested.
Instruction Scope
SKILL.md is high-level and focuses on analyzing customer data (chat logs, emails, CRM). It does not instruct the agent to read arbitrary system files or exfiltrate data, but it also does not specify how data should be supplied, how PII is handled, or whether processing happens locally or externally—this vagueness increases privacy risk depending on how the agent is used.
Install Mechanism
No install spec and no code files are present (instruction-only). That minimizes disk-write/install risk. The 'Technical stack' note (Node.js/Python/GLM-5/local storage) is descriptive only and not implemented here.
Credentials
The skill declares no required environment variables, credentials, or config paths. It does expect access to user data sources (WeChat, email, CRM), which is proportionate to its purpose but should be provided explicitly and securely by the user rather than left to the agent to fetch without consent.
Persistence & Privilege
Flags: always=false and user-invocable=true. The skill does not request persistent privileges or to modify system/agent-wide settings.
Assessment
This instruction-only skill appears coherent with its stated purpose, but it expects access to potentially sensitive customer data (WeChat chats, emails, CRM exports). Before using: (1) Confirm where data will be processed (locally vs sent to external services/third-party models). (2) Never hand over live credentials—provide sanitized/exported datasets (CSV/JSON) with PII redacted or pseudonymized. (3) Ask the skill author or provider for an install/runtime spec if you expect local model use (the SKILL.md mentions GLM-5/local storage but supplies no implementation). (4) If regulated data is involved (personal data, financial info), verify compliance with privacy laws and your company policy. Additional information that would change this assessment: any install scripts, network endpoints where data is sent, or requested credentials—these could raise the assessment to suspicious if they appear unrelated or opaque.Like a lobster shell, security has layers — review code before you run it.
latestvk9774svbvpv05qda08tvsg8am182p8fv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.