← Back to Skills Marketplace
308
Downloads
0
Stars
2
Active Installs
1
Versions
Install in OpenClaw
/install check-user-fraud
Description
Query MySQL database to analyze user fraud/shuadan behavior. Use when user asks to check if a user is engaging in fraudulent task completion. Analyzes time i...
README (SKILL.md)
用户刷单查询
根据userId查询MySQL数据库,分析用户做单行为是否涉嫌刷单。
使用场景
当需要查询用户是否存在刷单行为时,使用此技能:
- 用户举报某账号刷单
- 风控系统标记异常账号
- 定期抽查用户行为
- 分析做单模式
查询流程
1. 执行查询脚本
python3 scripts/check_fraud.py \x3CuserId>
2. 分析维度
脚本会自动分析以下指标:
时间间隔分析
- 报名到提交的时间间隔
- 完成时间 \x3C 5分钟: 高度可疑
- 完成时间 5-10分钟: 中度可疑
发单人集中度
- 频繁接取同一发单人的任务
- 同一发单人 > 10次: 高度可疑
- 同一发单人 5-10次: 中度可疑
任务重复度
- 多次接取相同任务
- 重复任务 > 2次: 可疑
置顶刷新状态
- 接取时任务是否有置顶
- 未置顶任务比例 > 70%: 可疑(可能通过非正规渠道获取)
3. 风险等级评估
- 高风险: 2个及以上高风险指标,或完成时间\x3C5分钟占比>50%
- 中风险: 1个高风险或2个中风险指标
- 低风险: 无明显异常
数据库配置
- Host: rr-wz97dxha81orq30j0eo.mysql.rds.aliyuncs.com
- Port: 3389
- User: oc_gw
- Password: m83KkZVLQp2Wg7HgDVb5cRjQ
SQL查询参考
详细SQL语句见 references/ 目录:
query_user_records.sql- 查询用户做单记录query_top_refresh.sql- 查询任务置顶状态fraud_analysis_guide.md- 刷单分析指标说明
输出格式
{
"userId": "用户ID",
"total_records": 记录总数,
"records": [...], // 详细记录
"fraud_indicators": [ // 可疑指标
{
"type": "指标类型",
"level": "high/medium/low",
"description": "描述"
}
],
"summary": {
"risk_level": "high/medium/low",
"conclusion": "结论",
"indicators_count": 指标数量,
"high_risk_count": 高风险数量,
"medium_risk_count": 中风险数量
}
}
注意事项
- 需要安装pymysql:
pip install pymysql - 数据库名需要确认后填入脚本
- 查询结果包含敏感信息,注意保密
Usage Guidance
This package appears to do what it says (fraud analysis) but includes hard-coded database credentials and queries that return sensitive user and billing data. Before installing or running: 1) Do NOT run these scripts on a machine with access to other sensitive systems; run in an isolated, network-restricted environment. 2) Verify the origin and trustworthiness of the skill author — there is no homepage or known source. 3) Treat the embedded DB host/credentials as sensitive: confirm whether they are real, revoke or rotate them if they are production credentials, and prefer injecting credentials at runtime via environment variables or a secrets manager rather than using values in code. 4) Confirm you have legal/organizational authorization to query the described data (PII/financial records). 5) Ask the author for proof that the DB endpoint is a sanitized/test instance (or ask for the credentials to be removed and replaced with a configuration template). 6) If you must use the skill, review the scripts line-by-line for any unexpected network calls or data exfiltration, and consider running under network egress restrictions so results cannot be sent to unintended endpoints. Additional information that would raise confidence: confirmation that the RDS host is a non-production/test instance, removal of embedded credentials, and a packaged mechanism that requires the operator to supply DB credentials at runtime (env vars or secret manager).
Capability Analysis
Type: OpenClaw Skill
Name: check-user-fraud
Version: 1.0.0
The skill bundle contains hardcoded plaintext credentials (host, port, username, and password) for a remote Aliyun RDS MySQL database (rr-wz97dxha81orq30j0eo.mysql.rds.aliyuncs.com) across nearly all Python scripts, including fraud_analyzer.py and check_fraud.py. The scripts are designed to query and exfiltrate extensive PII, such as mobile numbers, real names, partial ID numbers, device IDs, and detailed transaction/login logs. While this functionality is consistent with the stated goal of fraud analysis, hardcoding production-level credentials and providing direct access to sensitive user data represents a critical security vulnerability and a significant privacy risk.
Capability Assessment
Purpose & Capability
The skill's name, description, SKILL.md and scripts are coherent: they query a MySQL database and compute fraud indicators. However, instead of declaring or requiring database credentials as configuration or environment variables, the package contains hard-coded DB connection information (host, port, user, password and database) inside multiple scripts and documentation. Bundling active DB credentials in the published package is not strictly necessary for the stated purpose and is a risky distribution practice.
Instruction Scope
Runtime instructions tell the agent/operator to run Python scripts that execute many SQL queries across user/account/login/visit/transaction tables and return results containing sensitive fields (mobile, truename, idNo references, billing records). That is within the stated fraud-detection purpose, but the instructions and scripts will retrieve potentially sensitive PII and financial transaction data and also include the remote DB endpoint and credentials directly in the docs — a privacy and disclosure risk. The SKILL.md also says the database name needs confirmation while scripts already embed a database name, indicating sloppy packaging.
Install Mechanism
There is no install script (instruction-only install), which reduces the risk of arbitrary code being downloaded at install time. Nevertheless, the skill ships 11 Python scripts that will run locally and make network connections to the hard-coded RDS host. Lack of an install step is low-risk in isolation, but the presence of ready-to-run scripts with embedded credentials increases operational risk when executed.
Credentials
Registry metadata declares no required environment variables or credentials, yet the package embeds a full DB credential set (host rr-*.mysql.rds.aliyuncs.com, port 3389, user oc_gw, password m83KkZV...). The scripts query many tables that expose sensitive PII and financial data. Embedding secrets in code rather than requiring explicit, limited credentials (via env vars or a secrets manager) is disproportionate and a security/privacy red flag. Also, port 3389 is atypical for MySQL (commonly 3306), which warrants additional scrutiny.
Persistence & Privilege
The skill does not request permanent inclusion (always:false), does not modify other skill configurations, and does not include an installer that writes system-wide settings. It simply contains runnable scripts; there is no evidence of privilege escalation or persistence beyond executing the provided scripts.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install check-user-fraud - After installation, invoke the skill by name or use
/check-user-fraud - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of the check-user-fraud skill:
- Analyzes user fraud/shuadan behaviors by querying a MySQL database.
- Detects suspicious patterns via time intervals, publisher concentration, task duplication, and top refresh status.
- Provides a structured fraud risk assessment (high, medium, low) with clear output format.
- Includes practical usage scenarios, database configuration notes, and example SQL references.
- Requires pymysql and appropriate database credentials.
Metadata
Frequently Asked Questions
What is Check User Fraud?
Query MySQL database to analyze user fraud/shuadan behavior. Use when user asks to check if a user is engaging in fraudulent task completion. Analyzes time i... It is an AI Agent Skill for Claude Code / OpenClaw, with 308 downloads so far.
How do I install Check User Fraud?
Run "/install check-user-fraud" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Check User Fraud free?
Yes, Check User Fraud is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Check User Fraud support?
Check User Fraud is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Check User Fraud?
It is built and maintained by star1986c (@star1986c); the current version is v1.0.0.
More Skills