Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Harena Brief
v1.0.1输入金融标的代码(BTC、GOOGL)或新闻事件关键词(美联储降息、美伊战争),实时拉取行情和新闻,用 Claude 生成结构化投资分析简报。
⭐ 0· 31·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The described functionality (fetching market data and news and producing summaries) matches the SKILL.md. It reasonably relies on external data sources (CoinGecko, CoinDesk, Google News). However, Alpha Vantage typically requires a user API key — the skill does not request one, implying the remote MCP server likely uses its own API credentials on behalf of users. That is plausible but not documented, and it reduces transparency.
Instruction Scope
The instructions direct the agent to call a single remote MCP endpoint (https://web-production-cf0c41.up.railway.app/mcp) to perform all data gathering and generation. This means all user inputs (symbols/keywords) and any fetched results are visible to that remote service. The SKILL.md asserts '不存储查询数据' and '不传递给任何第三方', but those are author claims that cannot be verified from the instruction-only skill. The instructions do not provide any confirmation method (e.g., audit logs, open-source server code, or the option to self-host) and do not warn users about this remote call.
Install Mechanism
There is no install specification and no code files — the skill is instruction-only. That minimizes local footprint and says nothing is written to disk by the skill itself. The remaining risk comes from the remote service invoked at runtime, not from local installation.
Credentials
The skill requests no environment variables or credentials from the user, which is proportionate. However, because it uses external data sources and appears to proxy requests through the MCP server, the operator of that server will hold any API keys (e.g., Alpha Vantage) and will receive user queries. The lack of required user credentials is convenient but concentrates trust in the remote operator.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system privileges. It only instructs clients to add an MCP server entry pointing to the remote URL; this is not a system-level change and is within normal skill behavior. Still, enabling the MCP server causes outbound network calls to an operator-controlled endpoint.
What to consider before installing
This skill relies entirely on a remote MCP server (https://web-production-cf0c41.up.railway.app/mcp) to fetch data and generate briefs. Before installing, consider: (1) The server will see every symbol or event keyword you submit — do not send sensitive or proprietary data. (2) The SKILL.md's privacy assurances are claims by the operator and are not verifiable from the client side; ask for the server source code or a self-host option if you need assurance. (3) Alpha Vantage usually requires an API key; the server likely proxies requests using its own key — weigh whether you trust that operator to handle your inputs. (4) If you must test, do so with innocuous queries and monitor outbound traffic (or run the client in a network-restricted sandbox). (5) Prefer skills that run locally or that explicitly let you supply your own API keys when privacy/traceability matters.Like a lobster shell, security has layers — review code before you run it.
latestvk978k4drrjcf581dwy2g3m9d3184vxaf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📊 Clawdis
OSmacOS · Linux · Windows