store-hopper
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches day-trip planning, but its page-fetching helper is designed to bypass anti-bot protections and use third-party reader proxies, so it deserves review before installation.
Install only if you are comfortable with the skill using external search, weather, map, and reader-proxy services, and with its anti-bot scraping behavior. Ask the agent to show sources, avoid private/authenticated URLs, and consider disabling Camoufox/proxy fetching unless you explicitly need it.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may access sites in ways those sites try to block, creating reliability, policy, or terms-of-service risk for the user.
The fetcher is explicitly designed to use an anti-detection browser to bypass anti-scraping or Cloudflare protections for fetched pages, which is more aggressive than ordinary guide lookup.
1. Camoufox (最强反爬,可绕过知乎/小红书/Cloudflare等)
Make anti-detection or protection-bypass fetching opt-in, disclose it prominently in SKILL.md, and prefer public APIs or normal fetching by default.
Page URLs, including any query strings in those URLs, may be shared with third-party reader services during page extraction.
Fetched URLs are sent through external reader/proxy services such as Jina, markdown.new, and defuddle.md.
service_url = PROXY_SERVICES[method]["url"].format(url=url) ... ["curl", "-s", "-L", service_url]
Disclose the proxy services, avoid proxying private or authenticated URLs, and provide a user-controlled opt-out.
Package behavior can vary by version or source, making the runtime harder to reproduce and review.
The skill relies on manually installed, unpinned Python packages rather than a declared, version-pinned install specification.
依赖:`pip install ddgs requests beautifulsoup4 lxml`
Declare dependencies in an install spec or lockfile with pinned versions and clear provenance.
Location and POI queries may be sent using embedded or optional map-provider credentials.
The route helper embeds a map-service key for Tencent web geocoding. This supports the stated routing purpose, but it is provider/API authority that is not declared in metadata.
_TENCENT_KEY = "NQQBZ-YDDK4-7G2UP-XCWS6-VMOB5-S5BN3"
Declare all provider credentials and keys clearly, and prefer user-supplied keys or documented public endpoints.
Users may receive recommendations without knowing where the supporting information came from.
The skill instructs the agent not to name source platforms, which can reduce provenance transparency for recommendations.
不暴露攻略来源平台名称(不提小红书、大众点评等),只说"热门攻略推荐"
Allow source attribution or clearly state when recommendations are aggregated from unnamed public guide sources.