Cid Tracking
v1.0.0支持抖音、快手、腾讯三平台广告CID生成、转化回传、ROI分析、异常监控及专业Excel报表,助力二类电商投流管理。
⭐ 0· 81·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the included scripts: CID generation, platform data fetching, conversion backfill, ROI analysis, anomaly detection, and Excel report generation. The skill legitimately needs ad-platform credentials (shown in config.example.json) and network access to the respective platform APIs.
Instruction Scope
SKILL.md and the scripts instruct the agent to read a local config.json and input JSON files and to call the official ad-platform APIs (oceanengine, kuaishou, e.qq.com). The code writes reports and alert files locally. There are no instructions to read unrelated system files, enumerate environment secrets, or post data to unknown/personal endpoints. Note: Tencent sign/authorization is marked TODO in the code and the script prints a warning — calls to Tencent endpoints may fail or behave differently until signing is implemented.
Install Mechanism
No install spec in the registry (instruction-only skill). Dependencies are Python libraries listed in requirements.txt (openpyxl, pandas, requests, etc.), which is proportionate to Excel/reporting and HTTP API usage. No suspicious remote downloads or archive extraction are present.
Credentials
The only secrets shown are platform API credentials in config.example.json (app_id, access_token, secret_id/secret_key, account_id), which are appropriate and necessary for the declared functionality. The registry metadata did not declare env vars, but the SKILL.md and code use a local config.json file for credentials rather than environment variables—this is a design choice, not evidence of unrelated credential access.
Persistence & Privilege
Flags show no elevated persistence (always:false). The skill does not request to modify other skills or global agent settings. It runs as normal scripts and writes outputs to local files as expected.
Assessment
This package appears coherent with its stated purpose, but before installing or running it: (1) Review and supply credentials in a private config.json (do not commit secrets into a repo). (2) Use least-privilege API tokens where possible and rotate them if exposed. (3) Test against sandbox/test accounts first — the Tencent signing flow is not implemented in the code and related calls may fail or require manual implementation. (4) Run in an isolated environment (container/VM) if you want to limit blast radius from network activity. (5) If you integrate automatic notifications (e.g., piping alert.txt to a notification tool like send-to-wechat), verify that notification tooling is trusted and does not leak data. (6) If you need stronger secrecy controls, consider adapting the code to read credentials from a secrets manager or environment variables rather than a plaintext config file.Like a lobster shell, security has layers — review code before you run it.
latestvk97bmebgqa4x4zgw3ax9x7nrpd83byk3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.