ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Industry Compare

v1.0.0

行业对比技能 - 同行业多公司对比分析、行业地位评估

0· 63·0 current·0 all-time
by@alsoforever
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The declared purpose (financial/industry comparison) matches requested binaries (python3, pip) and a Tushare token (a reasonable data source). However, SKILL.md example imports `industry_compare` while the package only contains scripts/compare.py (no module packaging), and the registry/metadata disagree on whether TUSHARE_TOKEN is required. These are coherence issues (likely sloppy packaging), not direct evidence of malicious intent.
!
Instruction Scope
SKILL.md shows examples that imply live data fetching via Tushare, but the included scripts/compare.py contains only hard-coded example data and never reads TUSHARE_TOKEN or performs network requests. The examples instruct importing a module that doesn't exist in the bundle. This mismatch means the runtime instructions the agent would follow (per SKILL.md) do not match the actual code.
Install Mechanism
There is no install spec (instruction-only / small script). Nothing is downloaded from external URLs and no archives are extracted. Risk from install mechanism is low.
!
Credentials
The registry lists TUSHARE_TOKEN as a required env var, and SKILL.md lists it in metadata, which is reasonable for a finance data skill. But the provided code does not read or use TUSHARE_TOKEN (or any other credential). The token requirement appears unjustified by the shipped code and metadata even contradicts itself about whether the token is required.
Persistence & Privilege
The skill does not request elevated persistence (always:false) and contains no install-time hooks or modifications to other skills. It does not write to system configuration; normal autonomous invocation is allowed (default).
What to consider before installing
This skill claims to fetch financial data using Tushare but the included script only prints hard-coded example data and never reads TUSHARE_TOKEN. Also, SKILL.md examples import a module (industry_compare) that isn't packaged. Before installing or supplying any API token: 1) Inspect the code yourself (search for network calls / tushare imports) to confirm whether live data access is actually implemented. 2) Do not provide your TUSHARE_TOKEN until you confirm the token is used locally and not sent to third-party endpoints. 3) If you expect real data fetching, request the author to either (a) package a proper Python module or (b) update SKILL.md to match scripts/compare.py. If you cannot verify these, run the skill in a sandboxed environment or avoid providing secrets.

Like a lobster shell, security has layers — review code before you run it.

latestvk97akspcq8rtaet00bbmfbz33983s9jk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis
Binspython3, pip
EnvTUSHARE_TOKEN

Comments