Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
同花顺问财ETF选股
v1.0.0同花顺智能选ETF skill。根据行情、跟踪指数基本面、规模、风格类型等条件筛选ETF。返回符合条件的相关ETF数据。当用户询问ETF筛选问题时,必须使用此技能。
⭐ 0· 58·0 current·0 all-time
by@bensema
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (ETF selection via 同花顺/问财) matches the included code and docs which call an iwencai API. Requiring an API key and making POST queries to an external financial API is coherent with the stated purpose.
Instruction Scope
The SKILL.md and scripts/cli.py instruct the agent to send user queries to an external API (openapi.iwencai.com) and to retry with relaxed queries up to 2 times. SKILL.md also allows calling 'other financial tools or search tools' at the agent's discretion (broad). Critically, the runtime instructions reference the environment variable IWENCAI_API_KEY (and mention IWENCAI_API_URL) while the skill metadata declared no required env vars — this mismatch means the agent may attempt network calls that require secrets not declared to the platform.
Install Mechanism
No install spec; there is a single CLI script using only Python standard library. No downloads or third-party packages are installed, which minimizes install-time risk.
Credentials
The code requires an API key (IWENCAI_API_KEY) for authentication and the docs mention IWENCAI_API_URL; however, the registry metadata lists no required env vars. Asking for an API key is proportionate to the task, but the omission from metadata is a mismatch and increases the chance a user would inadvertently supply credentials without realizing the skill needs them. The skill does not request unrelated credentials, but the missing declaration is a red flag.
Persistence & Privilege
always:false and no special persistence or system-wide configuration changes. The skill does not request elevated/always-on privileges in the manifest.
What to consider before installing
This skill appears to be a straightforward client for the 同花顺/问财 (iwencai) API, but exercise caution before installing or enabling it:
- Metadata mismatch: The skill's manifest declares no required environment variables, but the instructions and CLI code require IWENCAI_API_KEY (and refer to IWENCAI_API_URL). Do not provide your API key until you confirm the skill legitimately needs it.
- Verify the endpoint and owner: The CLI uses https://openapi.iwencai.com/v1/query2data. Confirm that this is the official endpoint and that you trust the unknown owner/publisher before supplying credentials.
- Review network behavior: The skill sends your full query text to the external service and may retry with relaxed queries up to 2 times. Avoid sending sensitive or private data in queries because it will be transmitted to an external API and may be logged.
- Confirm credential scope: Use an API key with limited scope/usage and monitor its usage. Prefer creating a dedicated key for this skill rather than reusing high-privilege credentials.
- Test locally first: Inspect and run the provided scripts locally in a safe environment (without exposing production secrets) to validate behavior and ensure IWENCAI_API_URL usage is as expected (the CLI hardcodes DEFAULT_API_URL and does not read an IWENCAI_API_URL env var despite mentioning it in docs).
Given the manifest/instructions inconsistency and unknown publisher, treat this skill as suspicious until you validate the above points.Like a lobster shell, security has layers — review code before you run it.
latestvk97c6m3mxq0mqy0r8ahzk6bj6x84cbnv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.