Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AI Market Intelligence Agent
v1.0.0自动监控并聚合多平台市场和行业数据,生成定制化报告,洞察趋势、机会、风险及竞品动态。
⭐ 1· 678·2 current·2 all-time
byZhangYang@arthasking123
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description promise cross‑platform data collection (news, Twitter, Reddit, arXiv) and periodic monitoring. However, the delivered main.sh only generates a static markdown template and does not call any external APIs or aggregate data. package.json and README reference API keys and a setup.sh, yet no setup.sh or code that consumes API keys is present. This mismatch suggests the skill is incomplete or misrepresented.
Instruction Scope
SKILL.md instructs the user to configure a config.json with sources and templates and demonstrates openclaw run commands, but does not show how API keys are provided or how data is fetched. The runtime instructions do not direct the agent to read unrelated system files or exfiltrate data; they are high level and rely on unspecified config. The agent instructions are vague and grant broad implementation discretion (e.g., 'cross-platform aggregation') without concrete steps.
Install Mechanism
There is no install spec (instruction-only) and the provided files are small shell script and docs. No external downloads or package installations are specified. Risk from installation mechanism is low. Note: README mentions a setup.sh (not included), which is an inconsistency to investigate.
Credentials
Declared requirements list no environment variables or credentials, but package.json and README include placeholders for news/twitter API keys and config.json is required by SKILL.md. The skill neither declares nor requests these credentials up front, which is inconsistent — if real integration is later added it would likely require API keys; users should not provide secrets until they confirm how the skill uses them.
Persistence & Privilege
The skill does not request always:true and has no install that modifies system or other skills. It only writes reports to a local output/ directory. No elevated or persistent privileges are requested.
What to consider before installing
This skill is inconsistent: it advertises automated multi‑platform monitoring but the included main.sh only creates a static report template and does not fetch data. README and package.json mention API keys and a setup.sh that is not present. Before installing or providing any API keys, consider: 1) treat this as a stub — it likely needs additional code to perform real data collection; 2) ask the publisher for the missing setup.sh or source repository and verify how API keys are used; 3) do not supply secrets until you confirm network endpoints and code that consumes them; 4) run the skill in a sandboxed environment first to observe behavior. If you expect production data aggregation, prefer a skill whose code actually implements authenticated API calls and documents required credentials and endpoints.Like a lobster shell, security has layers — review code before you run it.
latestvk97fjec83b60fhbjwbbzsrg1jd81gpfm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.