Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Daily Market Insight
v1.0.0每日市场洞察报告生成系统。使用多Agent协作:新闻采集→分析→市场趋势预测→飞书文档报告。每天10:00自动运行。
⭐ 1· 544·3 current·3 all-time
byRui Chen@a851445115
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill says it will collect web news, run analysis, and push a Feishu document, which matches the declared openclaw requires: web_search, web_fetch, feishu_doc. However the SKILL.md additionally instructs running an external CLI ('opencode run --agent sisyphus') and to initialize a git repo; neither 'opencode' nor git are listed as required binaries or provided by an install spec. The SKILL.md also specifies local workspace paths for storage (~/.openclaw/workspace/...), but 'required config paths' is empty. These gaps are inconsistent with the stated purpose.
Instruction Scope
Instructions tell the agent to: perform web searches and fetches (expected), execute 'opencode' with an agent name (executes arbitrary analysis code), run 'git init' in the target directory, and write reports/logs to a specific home-directory path. The use of an external CLI to perform analysis (without declaring or providing it) and the explicit file system write locations expand the skill's scope beyond a simple web->report flow and could execute or persist code/data unexpectedly.
Install Mechanism
There is no install spec (instruction-only) which is lowest risk in principle. But the SKILL.md's reliance on 'opencode' and git implies external binaries must be present; the absence of declared required binaries or an install step is an inconsistency: either the skill expects platform-provided tools or it will fail/attempt to run unknown binaries.
Credentials
The skill pushes content to Feishu (feishu_doc) but declares no env vars or credentials. If the platform supplies Feishu credentials transparently, that may be OK; otherwise the skill omits required secrets. It also writes to ~/.openclaw/workspace/... (access to the user's home), which is a form of persistent storage not declared as a required config path. The skill does not request unrelated credentials, but it does require write access and an external CLI that may require network or tokens—these are not documented.
Persistence & Privilege
always:false (good). The metadata contains a cron schedule ('0 10 * * *'), so the skill is intended to run daily at 10:00 automatically. The skill will create files and a git repo under the user's workspace path and keep logs — that persistent disk presence is expected for a report generator but should be noted. There is no indication it modifies other skills or agent-wide settings.
What to consider before installing
Before installing, get answers to these questions: 1) Where does 'opencode sisyphus' come from? Confirm whether 'opencode' is a platform-provided tool or a third‑party CLI; ask for its homepage/source and an install spec. Running unknown CLIs can execute arbitrary code. 2) Will the agent have Feishu credentials? The skill will create docs and post messages to a Feishu group; ensure you understand which account/group will be used and that credentials/permissions are appropriate. 3) The SKILL.md instructs creating a git repo and writing files under ~/.openclaw/workspace/… — confirm you’re comfortable with the skill creating persistent files there (and review what data will be stored). 4) Ask the publisher for a homepage or source repository and for an install manifest that declares required binaries and any required environment variables. 5) If you want to test, run it in a sandboxed account/environment with limited Feishu permissions and inspect the files it creates. Because the instructions include running an external CLI and persisting data, treat this as potentially risky until the missing details are provided.Like a lobster shell, security has layers — review code before you run it.
latestvk978v1ysx077y2qb1n6fq2jgkn81rxg8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📊 Clawdis