ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

China Export Data Hunter

v1.0.0

Proactively hunt and discover China's export trade data to identify competitors, track market movements, and uncover new business opportunities. Designed for...

0· 62·0 current·0 all-time
by走过@1970168137
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the SKILL.md content: it focuses on tracking Chinese export data using UN Comtrade and China Customs. There are no unrelated requested binaries, env vars, or installs.
!
Instruction Scope
The instructions explicitly note that China Customs has no official API and state 'web scraping may be required for automation.' They also recommend cross-referencing 'shipping records' and aggressive, ongoing monitoring. Those instructions are open-ended and could push an agent to perform large-scale scraping or access non-public/internal datasets; the skill does not document limits, legal/terms-of-service checks, throttling, or explicit data sources for 'shipping records.'
Install Mechanism
Instruction-only skill with no install spec or code to write to disk — lowest installation risk.
Credentials
The skill declares no required env vars or credentials, while noting UN Comtrade registration is required for its free API. It does not request API keys or other credentials up front; that's reasonable but it means the agent may prompt for or attempt to use credentials at runtime. No unrelated secrets are requested.
!
Persistence & Privilege
always:false (good), but the agent can invoke the skill autonomously (platform default). Combined with open-ended scraping/monitoring instructions, that increases risk of unwanted automated queries or broad data collection if the agent is left to run autonomously.
Scan Findings in Context
[no_regex_findings] expected: Scanner had nothing to analyze because this is an instruction-only skill (no code files). Absence of findings is not evidence of safety; the SKILL.md itself is the primary surface to review.
What to consider before installing
Before installing: 1) Understand legal and ToS limits — scraping government or commercial sites can violate terms or local laws; prefer official APIs and paid subscriptions (UN Comtrade premium) where possible. 2) Avoid giving broad credentials — the skill doesn’t require env vars now, so don’t supply unrelated cloud or internal credentials. 3) If you plan to cross-reference 'shipping records', confirm where those records come from and whether the agent will access internal systems — restrict access accordingly. 4) Require rate limits, error handling, and respect for robots.txt; do not allow autonomous continuous scraping without human oversight. 5) Consider invoking manually (or reducing autonomy) until you can audit full runtime behavior — the SKILL.md truncates near the end, so request the complete instructions to be sure there are no hidden steps that read local files or exfiltrate data. If you need help reviewing the remaining content, share it and I can reassess.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dqgsmctet8bhp7e4tp3sjjx839444

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments