by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's behavior mostly matches its description (it fetches coupons) but has multiple incoherencies and a notable risk: it sends all requests to an unknown external gateway and its declared install/requirements metadata doesn't match the registry manifest or the code, so proceed with caution.
评估建议
This skill will make outbound requests to https://agskills.moontai.top to fetch coupons rather than calling official platform APIs. Before installing or running it: 1) treat the gateway as an untrusted endpoint — do not provide any credentials or sensitive data to it; 2) prefer running the script in a network-restricted sandbox or isolated environment; 3) confirm the 'uv' package source and avoid installing unfamiliar packages globally; 4) ask the author for the gateway's ownership or a public r...详细分析 ▾
⚠ 用途与能力
The skill claims to obtain coupons for multiple Chinese platforms and the code does call a coupon endpoint, so the purpose aligns at a high level. However the registry metadata lists no required binaries while SKILL.md metadata asks for a 'uv' binary and pip installs; that mismatch is incoherent. The script always calls a single third-party gateway (https://agskills.moontai.top) rather than platform APIs, which is not explained by the description and concentrates network traffic to an unknown host.
⚠ 指令范围
SKILL.md instructs running the bundled script via 'uv run'. The script does not read/write local files (as claimed) and does not request local credentials, but it performs outbound HTTP GETs to the remote gateway for coupon data. That means executing the skill will contact an external service controlled by whoever runs that domain; the instructions do not warn about that or provide a trusted upstream. Also the script ignores the 'source' parameter and always calls the same endpoint, showing sloppy or unreviewed logic.
ℹ 安装机制
There is no platform-level install spec, but SKILL.md includes an install block recommending installing 'uv' (brew/pip) and several pip packages (aiohttp, argparse, PyYAML). Using pip for aiohttp/PyYAML is normal; 'argparse' is part of the Python stdlib (installing it via pip is unnecessary) and 'uv' is ambiguous — it may be an uncommon CLI and could come from an untrusted package. Overall install instructions are moderate risk and include unnecessary/odd entries.
✓ 凭证需求
The skill does not request environment variables, secrets, or config paths. The code likewise doesn't read env vars or files. This is proportionate to the stated purpose. The only mismatch is metadata indicating a binary requirement ('uv') that the registry manifest did not declare.
✓ 持久化与权限
The skill does not request persistent presence (always: false), does not modify other skills' configs, and has no install operations that write custom system-wide settings. No elevated privileges are requested.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.32026/3/12
- Switched all coupon retrieval to use the unified /coupon/takeout API endpoint for all platforms. - Updated documentation to reflect this interface change and clarify parameters. - Minor edit: clarified that modifying interface returns may invalidate coupons.
● 无害
安装命令
点击复制官方npx clawhub@latest install obtain-takeout-coupon
镜像加速npx clawhub@latest install obtain-takeout-coupon --registry https://cn.longxiaskill.com