public-opinion-insights
AdvisoryAudited by VirusTotal on Apr 2, 2026.
Overview
Type: OpenClaw Skill Name: public-opinion-insights Version: 0.0.1 The skill is a legitimate integration for the Midu public opinion analysis service. The Python script (insights.py) communicates with a specific API endpoint (midu.cc) to perform analysis based on user-provided dimensions. While it includes a mechanism to automatically fetch an API key from a remote endpoint if one is not configured, this behavior is clearly documented in the SKILL.md and apikey-fetch.md files and does not involve exfiltrating sensitive local data or executing unauthorized commands.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The API key and analysis request could be exposed on the network or used through an implicit fallback credential path, depending on where the agent runs.
The reviewed code obtains or uses MIDU_API_KEY and sends it as a bearer token to a plain-HTTP endpoint, with an automatic /apiKey fallback when the environment variable is missing.
API_BASE_URL = "http://intra-znjs-yqt-agent-wx-beta.midu.cc" ... url = f"{base_url}/apiKey" ... headers["Authorization"] = "Bearer %s" % api_keyUse an HTTPS endpoint, make the /apiKey fallback explicit or remove it, and document exactly when credentials are fetched and sent.
Users have less external context for confirming that this internal Midu endpoint and package are the intended release.
The skill source and homepage are not provided, making publisher provenance harder to verify even though the included code is small and directly reviewable.
Source: unknown; Homepage: none
Install only if you trust the publisher and endpoint; maintainers should add a source URL, homepage, or commit provenance.