获取商品在淘宝(Taobao)、天猫(TMall)、京东(JD.com)、拼多多(PinDuoDuo)、抖音(Douyin)、快手(KaiShou)的最优价格、优惠券的技能,商品价格全网对比,当用户想购物或者获取优惠信息时使用。Get the best price, coupons for goods on Ch...
Security Analysis
high confidenceThe skill is mostly consistent with its stated purpose (price comparison via maishou88), but it contains undisclosed behavior (a built-in affiliate/invite code via an environment variable that is not documented) and minor install/metadata mismatches that users should be aware of.
The skill's name and description describe cross-platform price comparison; the code actually queries maishou88 APIs which plausibly aggregate those platforms, so capability aligns with purpose. Minor mismatch: the SKILL metadata does not declare the MAISHOU_INVITE_CODE env var the code uses (defaulting to a hard-coded invite code), which can inject affiliate behavior not described in the README.
SKILL.md states the script will not read/write local files and will only request maishou88.com. The code does avoid local file I/O, and it calls msapi.maishou88.com and appapi.maishou88.com (consistent). However the SKILL.md and metadata do not mention the optional MAISHOU_INVITE_CODE env var or that the script will include an invite code by default — this is a scope/behavior omission the user should know about.
Install options include installing the 'uv' runner (brew or pip) and Python deps (aiohttp, PyYAML). Having both brew and pip install options for the same binary and including 'argparse' in pip deps (argparse is in stdlib) are sloppy but not inherently dangerous. No downloads from arbitrary URLs or other high-risk installers are present.
The skill metadata declares no required env vars, but the code reads MAISHOU_INVITE_CODE (defaulting to '6110440'). This gives the publisher an implicit affiliate/invite attribution unless the user overrides it. That credential-like variable is not documented in the SKILL.md or metadata and should be declared and explained.
The skill does not request permanent presence (always:false) and does not modify other skills or system-wide settings. It runs as a simple client script and only makes outbound HTTP requests.
Guidance
This skill behaves like a price-aggregator that queries maishou88 APIs and does not read/write local files — that part is coherent. However: (1) the script embeds a default invite/affiliate code (MAISHOU_INVITE_CODE="6110440") but the SKILL.md and metadata don't mention it. That means the publisher may receive affiliate credit by default; set MAISHOU_INVITE_CODE='' if you want to avoid that or set your own code. (2) The installer lists both brew and pip install options for 'uv' and includes an unnecessary 'argparse' pip dependency — not dangerous but sloppy. (3) The script makes network requests to msapi.maishou88.com and appapi.maishou88.com; treat returned purchase links cautiously before opening them (they may be affiliate links or redirectors). If you need stricter assurance, request the publisher to declare the MAISHOU_INVITE_CODE in metadata and to document any affiliate behavior, or review the code locally and run it in a network-restricted environment.
Latest Release
v1.0.2
- Updated installation requirements to use the correct package name: "aiohttp".
Popular Skills
Published by @al-one on ClawHub
