Skillv0.1.0

ClawScan security

Mx Macro Data · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 4, 2026, 1:24 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and required EM_API_KEY align with its stated purpose (querying 东方财富 / EastMoney macro data); requested resources and network calls are proportional and there are no obvious exfiltration endpoints or excessive privileges.
Guidance: This skill appears coherent with its stated purpose, but take these precautions before installing: - Verify the EM_API_KEY source and scope: ensure the key is issued by the official EastMoney endpoint (https://ai.eastmoney.com/mxClaw), confirm its permissions and that you can revoke/regenerate it. - Run in an isolated environment (virtualenv, container) when first testing and install httpx there. - Inspect the included script (scripts/get_data.py) yourself — it posts queries to https://ai-saas.eastmoney.com/proxy/b/mcp/tool/searchMacroData and writes CSV/text files under a local miaoxiang/mx_macro_data folder. If that output location is sensitive, change it or run in a safe working directory. - Ensure network egress to ai-saas.eastmoney.com is acceptable in your environment and that TLS egress is allowed (the URL uses https). - Treat EM_API_KEY like any secret: do not embed it in code or logs, and revoke it if you believe it was compromised. - Note the small metadata inconsistency (registry says no install spec while SKILL.md includes a pip install instruction). Confirm dependency installation (httpx) before running. If you want, I can summarize the exact network calls and files the script will create or point out any lines in the code you should review closely.

Review Dimensions

Purpose & Capability: noteName/description claim natural-language macro data queries from 东方财富; the Python script posts to ai-saas.eastmoney.com/proxy/b/mcp/tool/searchMacroData using an EM_API_KEY header and writes CSV/description files. That matches the stated purpose. Minor inconsistency: registry metadata said 'No install spec / instruction-only' while the SKILL.md contains an openclaw 'install' entry for pip (httpx) and a code file (scripts/get_data.py) is included — operationally coherent but metadata bookkeeping is inconsistent.
Instruction Scope: okSKILL.md instructions and the script are limited to building a query, calling the EastMoney endpoint, converting returned JSON to CSV, and writing a description text file. The SKILL.md additionally mandates orchestrator-side verification (gap detection and iterative re-calls) which increases orchestration requirements but is within scope for a data-fetching skill. The skill does not instruct reading unrelated system files or other environment variables.
Install Mechanism: noteNo platform-level installer in the registry, but SKILL.md requests pip install httpx (a standard PyPI package). Installing httpx via pip is standard and low-risk. The mismatch between 'no install spec' in registry metadata and the SKILL.md install entry is a bookkeeping inconsistency to be aware of.
Credentials: okOnly a single environment variable (EM_API_KEY) is required and it is justified: the script places the key in an 'em_api_key' request header to authenticate to EastMoney. There are no other secret/env requests or unrelated credential reads.
Persistence & Privilege: okThe skill does not request always:true or modify other skills or system-wide config. It writes output files (CSV and description) to a local directory (miaoxiang/mx_macro_data by default) which is expected for a data exporter; this is a normal file-writing behavior and within the skill's scope.