xianyu-sam-order Security Report — Trusted | ClawSafe

5 /100

xianyu-sam-order

闲鱼山姆代下单 - 配置你自己的账号

Benign help/config tool that only reads environment variables and prints usage instructions with no network, file-write, or shell operations.

Skill Namexianyu-sam-order

Duration24.6s

Enginepi

✓

Safe to install

Skill is safe to use. No malicious behavior detected.

Findings 1 items

Severity	Finding	Location
Low	Malformed SKILL.md with appended JSON Doc Mismatch SKILL.md has YAML frontmatter (---) but the closing --- is missing, and a JSON object is appended after. The JSON is harmless (name, version, author) but indicates a documentation formatting issue. `{ "name": "xianyu-sam-order", "version": "1.0.0", "author": "OpenClaw" }` → Fix SKILL.md formatting by removing the stray JSON and ensuring proper YAML frontmatter closure.	`SKILL.md:57`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No filesystem access in scripts/order.py
Network	`NONE`	`NONE`	—	No network calls in scripts/order.py
Shell	`NONE`	`NONE`	—	No subprocess or shell execution in scripts/order.py
Environment	`READ`	`READ`	✓ Aligned	scripts/order.py:11-12 uses os.environ.get for XIANYU_COOKIE and SAM_PHONE
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access

3 files · 2.5 KB · 110 lines

Markdown 1f · 57L Python 1f · 48L JSON 1f · 5L

├─ ▾ 📁 scripts

│ └─ 🐍 order.py Python 48L · 1.2 KB

├─ 📋 _meta.json JSON 5L · 79 B

└─ 📝 SKILL.md Markdown 57L · 1.2 KB

✓ No network requests or external communication

✓ No shell or subprocess execution

✓ No file write operations

✓ No credential exfiltration

✓ No obfuscation or encoded payloads

✓ Environment variable access is declared and consistent with SKILL.md documentation

✓ Simple, readable code with no hidden functionality

✓ Skill behavior matches documented description (help text and env config check)