shopping-affiliate-search Security Report — Low Risk | ClawSafe

10 /100

shopping-affiliate-search

全球购物搜索联盟工具 - 搜索淘宝/京东/亚马逊等平台商品，自动添加推荐码获取佣金

Legitimate shopping affiliate search tool with no malicious behavior detected. Uses only standard Python library, performs declared functionality, and stores config locally.

Skill Nameshopping-affiliate-search

Duration26.9s

Enginepi

✓

Safe to install

No action required. The skill is a benign affiliate marketing tool.

Findings 1 items

Severity	Finding	Location
Low	Missing allowed-tools declaration Doc Mismatch SKILL.md does not explicitly declare allowed-tools mapping. While this is informational, best practice suggests declaring filesystem:WRITE and network:READ for this tool. `metadata: openclaw: emoji: 🛒` → Add allowed-tools section to metadata: filesystem:WRITE, network:READ	`SKILL.md:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`WRITE`	✓ Aligned	SKILL.md:32-40 - config command writes to config/affiliate_config.json
Network	`NONE`	`READ`	✓ Aligned	scripts/search.py:96-172 - constructs affiliate URLs for legitimate platforms
Shell	`NONE`	`NONE`	—	No subprocess or shell execution found
Environment	`NONE`	`NONE`	—	No environment variable access
credential_theft	`NONE`	`NONE`	—	No credential harvesting - only accesses its own config file
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access

19 findings

🔗

Medium External URL 外部 URL

https://pub.alimama.com

README.md:51

🔗

Medium External URL 外部 URL

https://union.jd.com

README.md:56

🔗

Medium External URL 外部 URL

https://jinbao.pinduoduo.com

README.md:61

🔗

Medium External URL 外部 URL

https://affiliate-program.amazon.com

README.md:66

🔗

Medium External URL 外部 URL

https://s.click.taobao.com/xxx

SKILL.md:87

🔗

Medium External URL 外部 URL

https://s.click.taobao.com/yyy

SKILL.md:92

🔗

Medium External URL 外部 URL

https://api.taobao.com

scripts/search.py:37

🔗

Medium External URL 外部 URL

https://api.jd.com

scripts/search.py:42

🔗

Medium External URL 外部 URL

https://api.pinduoduo.com

scripts/search.py:47

🔗

Medium External URL 外部 URL

https://api.amazon.com

scripts/search.py:52

🔗

Medium External URL 外部 URL

https://s.click.taobao.com/t?e=m%3D2%26s%3D

scripts/search.py:100

🔗

Medium External URL 外部 URL

https://img.alicdn.com/example.jpg

scripts/search.py:101

🔗

Medium External URL 外部 URL

https://img.alicdn.com/example2.jpg

scripts/search.py:111

🔗

Medium External URL 外部 URL

https://union.jd.com/link?u=

scripts/search.py:129

🔗

Medium External URL 外部 URL

https://img14.360buyimg.com/example.jpg

scripts/search.py:130

🔗

Medium External URL 外部 URL

https://mobile.yangkeduo.com/duo_coupon.html?pid=

scripts/search.py:148

🔗

Medium External URL 外部 URL

https://img.pddpic.com/example.jpg

scripts/search.py:149

🔗

Medium External URL 外部 URL

https://www.amazon.com/s?k=

scripts/search.py:167

🔗

Medium External URL 外部 URL

https://images-na.ssl-images-amazon.com/example.jpg

scripts/search.py:168

File Tree

3 files · 14.4 KB · 508 lines

Python 1f · 274L Markdown 2f · 234L

├─ ▾ 📁 scripts

│ └─ 🐍 search.py Python 274L · 9.7 KB

├─ 📝 README.md Markdown 89L · 1.7 KB

└─ 📝 SKILL.md Markdown 145L · 3.0 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`python3-stdlib`	`built-in`	standard library	No	No external dependencies

Security Positives

✓ Uses only Python standard library (no external dependencies with potential vulnerabilities)

✓ No subprocess or shell execution

✓ No credential harvesting from environment variables or sensitive paths

✓ No base64 or obfuscated code

✓ No hidden functionality - code behavior matches documentation

✓ Config stored in project directory, not system paths

✓ No network exfiltration or C2 communication

✓ No reverse shell or remote code execution

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives