ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Financial News

v1.0.0

财经新闻监控技能 - 财经新闻追踪、自动推送、重要新闻提醒

0· 90·0 current·0 all-time
by@alsoforever
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill description implies live financial-news aggregation (which could legitimately use Tushare), but the actual code (scripts/news_monitor.py) contains only local, hard-coded printouts and no network/API calls. The SKILL.md shows usage as 'from financial_news import ...' but no importable package named 'financial_news' is provided — only a script under scripts/. Requiring TUSHARE_TOKEN and pip appears disproportionate to the shipped code.
!
Instruction Scope
SKILL.md documents functions (query_news, setup_monitor, analyze_sentiment) as if provided by an importable module, and asks for TUSHARE_TOKEN in metadata. The runtime script implements similarly named functions but as a standalone script that prints canned examples; there are no instructions that read environment variables, call the Tushare API, perform I/O beyond printing, or transmit data externally. The documented runtime behavior and the actual code are inconsistent.
Install Mechanism
There is no install spec (instruction-only skill with a single script). That has low install risk because nothing is downloaded or written during install. However, absence of packaging means the documented imports may not work without additional packaging steps.
!
Credentials
The skill declares TUSHARE_TOKEN as a required environment variable, which is a sensitive API credential. The included code does not read os.environ or otherwise use any credential, so requesting that secret is unexplained and disproportionate. Requiring pip also appears unnecessary given there are no external dependencies in the script.
Persistence & Privilege
always is false and the skill does not request any persistent system-level privileges or config-path access. It does not modify other skills or global agent settings in the files provided.
What to consider before installing
This skill is inconsistent: it asks for a Tushare API token and lists pip as required but the bundled script only prints canned news and never uses the token or makes network calls. Before installing, ask the author to explain: (1) why TUSHARE_TOKEN is required and where it is used, (2) why SKILL.md shows 'from financial_news import ...' when there is only scripts/news_monitor.py (ask for a proper package or install steps), and (3) whether any additional code (network fetches, dependencies) is omitted. Do not provide your TUSHARE_TOKEN (or other secrets) until the developer demonstrates that the token is necessary and shows the code that uses it. If you still want to test the skill, run it in a sandboxed environment without any real credentials and inspect runtime network activity for unexpected connections.

Like a lobster shell, security has layers — review code before you run it.

latestvk975evdgrfm8gawpwfdbpavt2x83r42r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📰 Clawdis
Binspython3, pip
EnvTUSHARE_TOKEN

Comments