ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Hong Kong Stock Market HKEX

v1.0.0

Get HKEX (Hong Kong Stock Exchange) market data via FinanceAgent on OneKey Gateway.

0· 56·0 current·0 all-time
by@ai-hub-admin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (fetch HKEX data via the OneKey FinanceAgent) aligns with the runtime instructions: it requires a OneKey gateway API key and uses an aiagenta2z/financeagent API. That environment variable and the provided API endpoint are coherent with the described functionality.
Instruction Scope
SKILL.md only instructs exporting a single gateway API key, installing/using an npm package, and calling the OneKey agent endpoint (or using the provided curl). It does not instruct reading unrelated files, broad system probes, or exfiltrating data to unexpected endpoints; the external endpoint referenced (https://agent.deepnlp.org/agent_router) is consistent with the OneKey gateway usage.
Install Mechanism
The skill recommends installing an npm package (@aiagenta2z/onekey-gateway) globally. npm packages are a moderate risk because they execute code from a registry; the package name looks consistent with the agent referenced, but the registry metadata previously supplied to the catalog claimed 'No install spec'. That metadata mismatch and the fact the package will run code on the host warrant review of the npm package source before installation.
!
Credentials
The SKILL.md requires a single env var (DEEPNLP_ONEKEY_ROUTER_ACCESS), which is appropriate for a gateway API. However, the skill registry metadata at the top of the submission listed 'Required env vars: none' and 'No install spec', which contradicts SKILL.md. This discrepancy (manifest claims no credentials but SKILL.md requires a gateway key) reduces confidence and should be resolved before use.
Persistence & Privilege
The skill does not request always:true, does not ask to modify other skills or system-wide settings, and is user-invocable. Autonomous invocation is allowed by default but is not an additional red flag here.
What to consider before installing
This skill appears to do what it claims — call a OneKey FinanceAgent to get HKEX data — but two things deserve caution: (1) SKILL.md requires DEEPNLP_ONEKEY_ROUTER_ACCESS and an npm package (@aiagenta2z/onekey-gateway), but the registry metadata incorrectly claimed no env vars or install steps; confirm which is authoritative before installing. (2) The npm package will run code on your machine; inspect the package source (or prefer calling the gateway via curl) and limit the scope of the OneKey API key (use least privilege / short-lived token if possible). If you don't trust the npm package or cannot verify it, use the curl example against the listed endpoint instead and keep the gate key secret.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eekn5nzfw42aet759qw63gs83wsnb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments