美团生活服务导购,精准识别用户需求并推送外卖、闪购、餐饮团购、丽人运动休闲、医药五大业务会场链接。
Security Analysis
high confidenceThis Meituan guide skill appears purpose-related, but it needs Review because it handles account tokens and binding secrets with broad triggers, silent network/setup actions, and under-scoped local secret exposure.
The core goal of recommending Meituan venue links matches the artifacts, but the skill also drives account authorization, token polling, binding to media code words, and promotional link delivery from very broad shopping/food/discount triggers.
SKILL.md requires many script calls, local state checks, token operations, and version checks to happen silently, while also activating on generic phrases such as recommendations, discounts, food, shopping, and medicine needs.
init.sh installs or updates a global pt-passport CLI from a local tgz, and qrcode.sh can silently run npm install -g qrcode, mutating the host environment without clear user approval.
Local token files, binding records, logs, Meituan APIs, internal Friday endpoints, GitHub update checks, and global Node tooling are all used; much of this is related to the purpose, but the disclosure and user control are not proportional.
The skill persists device_token, codeWord, venue links, and logs under the user's home/temp directories, exposes codeWord through a CLI command, and diagnostic tools can decrypt and print sensitive log contents.
Guidance
Install only if you are comfortable authorizing a Meituan account, storing local tokens and binding secrets, and allowing this skill to run setup scripts and network checks in the background. Review is warranted until the publisher narrows triggers, makes installs/network/token handling explicit, removes raw secret output, and masks diagnostic data by default.
Latest Release
v1.0.0
Meituan Venue Guide Skill v1.0.0 released - New intelligent lifestyle recommendation assistant for Meituan, covering five service lines: Food Delivery, Flash Shopping, Restaurant Group-buy, Leisure Lifestyle, and Medicine Delivery. - Automatically identifies user intent and pushes the appropriate Meituan venue link for needs like dining, shopping, leisure, or buying medicine. - Rigorous access and authorization processes ensure privacy and security; guides users through clear, friendly steps if login or token refresh is needed. - Friendly, concise, and local Chinese tone in user interactions—like getting advice from a savvy friend, not a customer service script. - Comprehensive error handling and strict privacy rules—never shows tokens or technical details to users. - Does not respond to pure information queries (e.g., "how to register Meituan").
Popular Skills
Published by @meituan-union on ClawHub
