ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Astock Daily

v1.0.0

Daily emails listing recent A-share IPOs and selected stocks priced under 20 yuan, including key trading details.

1· 536·2 current·2 all-time
by@batype
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill description (fetch A-share IPOs and low-price stocks + email) is reasonable, but the registry metadata says no required env vars or install steps while the package includes nodemailer, .env usage, and code that expects SMTP credentials and the ability to write files and cron entries. The presence of a hard-coded target email (8@batype.com) and helper scripts to save credentials into ~/.zshrc/.env is inconsistent with the 'no credentials required' claim.
!
Instruction Scope
SKILL.md plus other docs and scripts instruct the user to provide SMTP credentials (SMTP_CONFIG), run setup scripts that add cron jobs, and run a fix-hosts.sh that appends entries to /etc/hosts (requires sudo). The runtime code reads process.env.SMTP_CONFIG, writes .env and data-*.json, executes sendmail/osascript. These behaviours go beyond simple data fetching and include system config changes and credential handling.
!
Install Mechanism
The registry lists 'no install spec' (instruction-only), but the package contains package.json/package-lock.json with a nodemailer dependency — meaning npm install is required to enable SMTP sending. That mismatch (no declared install but real code + dependencies) is an incoherence and increases risk because users may run code without performing an explicit vetted install step.
!
Credentials
Although the skill metadata declares no required env vars, the code relies on SMTP_CONFIG (and scripts create .env and optionally export SMTP_CONFIG into shell RC). test-smtp.js contains a hard-coded username and plaintext password ('8@batype.com' / '960515@ss.com'). Requesting or storing SMTP credentials and suggesting adding them to shell RC/.env is disproportionate without explicit declaration in metadata and raises credential exposure risk.
!
Persistence & Privilege
The skill's helper scripts add cron jobs, can append SMTP_CONFIG to ~/.zshrc or other shell rc files, and provide a script to append entries to /etc/hosts using sudo. While these actions can be legitimate for scheduling and DNS fixes, they grant long-lived system changes and require elevated privileges (hosts modification). The skill itself is not marked always:true, but it instructs the user to persist credentials and jobs on the host — a notable persistence surface.
Scan Findings in Context
[hardcoded-credential] unexpected: test-smtp.js includes a plaintext password ('960515@ss.com') and the user email '8@batype.com'. Hard-coded credentials are unnecessary to the public registry metadata and expose secrets in repository files.
[no-install-spec-but-package-json] unexpected: The package includes package.json and package-lock.json (nodemailer dependency) but the registry lists no install spec. This is an incoherence: users must run npm install or otherwise provide the dependency to use the SMTP functionality.
[hosts-modification] expected: fix-hosts.sh and DNS-FIX.md modify /etc/hosts to override SMTP DNS resolution. This is plausible for fixing a network issue, but it requires sudo and changes system-wide behaviour, so users should review entries and understand implications before running.
What to consider before installing
This package performs more privileged and sensitive actions than the registry metadata claims. Before installing or running it: 1) Inspect and remove any hard-coded credentials (test-smtp.js) and never run with those credentials; create a dedicated SMTP account/authorization for this skill. 2) Do not blindly run fix-hosts.sh or any script that uses sudo — examine the exact hosts entries and only apply them if you trust the source and understand the change. 3) Prefer exporting SMTP_CONFIG at runtime rather than adding it to ~/.zshrc/rc files; keep secrets out of checked-in files. 4) Run npm install only after reviewing package.json and package-lock.json; verify dependencies come from a trusted registry. 5) If you want to test, run the code in an isolated environment (container or VM) and avoid adding cron jobs until you confirm behaviour. The inconsistencies (metadata vs code) and embedded plaintext password are red flags — treat this as potentially unsafe until you remediate those issues.

Like a lobster shell, security has layers — review code before you run it.

latestvk97amqwk5segqh9b5apc1r25jx81zjrs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments