meituan-coupon-order-assistant

Searching products, logging into Meituan, claiming coupons, using location, and placing orders are broadly aligned with the stated assistant purpose. The concern is that the bundled CLIGuard code performs host fingerprinting and remote signed update checks that are not clearly disclosed as part of the shopping/order workflow.

The skill asks agents to trigger on broad everyday phrases and to run environment setup silently on first use; it also instructs automatic coupon claiming and long-term location authorization persistence, which need clearer front-loaded user control.

The runtime init path attempts npm-based dependency installation, including global installation of a pt-passport package from a bundled tgz pattern and local/global qrcode installation. The submitted artifact list does not include the expected pt-passport tgz, so setup behavior is both host-modifying and brittle.

Network calls to Meituan endpoints are expected for this purpose, but the obfuscated CLIGuard component collects system attributes and maintains a remote update channel, which exceeds what a coupon/order assistant plainly needs.

The skill persists device tokens under the user's home directory, stores state in .state.json, writes long-term memory for location authorization, passes account tokens through process arguments, and bundles a detached CLIGuard daemon with PID/lock/version files and self-restart behavior.