Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Sinopec Oil Price
v1.0.0中石化油价查询 Skill,用于查询实时油价信息。支持按省份查询汽油和柴油价格,显示价格变动信息。
⭐ 1· 87·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the code and docs. The implementation uses axios to call Sinopec's API (base URL: https://cx.sinopecsales.com/yjkqiantai) to fetch price data and exposes getOilPrice and monitorOilPrice as described. Declared dependencies (axios) are appropriate for the task.
Instruction Scope
SKILL.md and references describe querying and monitoring behavior; the code follows that. The runtime performs HTTP GET/POST to the Sinopec domain and reads/writes local history files (./history/<province>.json and ./oil-price-history.json). The SKILL.md doesn't enumerate the exact file locations, so note that the skill persists history in its own directory.
Install Mechanism
There is no install spec bundled (instruction-only in metadata) but code + package.json/package-lock are included. Installing/running will require Node and npm (or equivalent) to fetch axios from the npm registry mirror referenced in package-lock. This is normal but means runtime will install third-party packages if executed.
Credentials
The skill requests no environment variables or credentials and only accesses the Sinopec API and the local filesystem for history — this is proportional to a price-query/monitoring skill.
Persistence & Privilege
The skill creates and updates local files (history/*.json and oil-price-history.json) under the skill directory to persist previous prices and is intended for scheduled runs (cron). It does not request elevated system privileges or modify other skills. always:false (default) — it is not force-included.
Assessment
The skill appears to do what it says: it queries Sinopec's official API, computes price differences, and saves simple JSON history files in the skill directory. Consider the following before installing: 1) It will need network access to https://cx.sinopecsales.com and Node/npm to install dependencies (axios). 2) It writes persistent files (history/*.json and oil-price-history.json) in the skill folder — if you prefer no local persistence run it in a sandbox or remove/redirect the save/read functions. 3) The package-lock refers to a npm mirror (npmmirror.com) — if you require a particular registry, install with your preferred registry and verify package integrity. 4) The skill source/homepage is not provided; however all source files are included so you can audit them yourself. If you want tighter controls, run the skill in an isolated environment or review/modify the file-write and logging behavior before enabling scheduled runs.index.js:294
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk9769rq18rs3agyw2y5v201d9583mbk9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⛽ Clawdis