vipshop-promotion-search
Pass
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local Python scripts (
scripts/promotion_search.py) and platform-specific management commands (clawhub install) to manage dependencies and search functionality. - [DATA_EXFILTRATION]: The skill reads session information from
~/.vipshop-user-login/tokens.json. This sensitive data is used to authenticate requests to the official Vipshop API (api.union.vip.com). As the skill is authored by the vendor (Vipshop), this behavior is consistent with the intended functionality. - [PROMPT_INJECTION]: The instructions use assertive language ("AI must", "strictly follow") and mandate that the agent automatically initiate login processes without waiting for user confirmation. While this increases agent autonomy and reduces user oversight for login actions, it is presented as a functional requirement for the specific service.
Audit Metadata