snowtrace
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: snowtrace Version: 1.0.0 The skill is designed for investment analysis, fetching data from xueqiu.com. It transparently requires an `XQ_A_TOKEN` for authentication, which is used solely for its stated purpose of accessing Xueqiu APIs. The `install.sh` script installs legitimate dependencies (Node.js, Playwright, Chromium) using standard package managers and npm. The `fetch_timeline.js` script makes network requests only to xueqiu.com domains. There is no evidence of data exfiltration to unauthorized endpoints, persistence mechanisms, or malicious prompt injection attempts in `SKILL.md` or `README.md`.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
This could violate the service’s access controls or terms, trigger account security checks, and lets the agent perform authenticated scraping through a stealth browser.
The skill explicitly relies on Playwright plus a stealth plugin to get past WAF/anti-bot controls, rather than using a normal supported API flow.
| 大V动态 | xueqiu.com | Playwright + stealth | 主域名有阿里云 WAF,curl 无法通过 |
Use only if this access method is permitted for your account and jurisdiction. Prefer official APIs or exports where available, and keep request volume low with explicit user approval.
Anyone running the skill with this token may be able to access account-bound Xueqiu data such as the user’s watchlist; the artifact does not show mutation or off-domain exfiltration, but the credential is still high-impact.
The skill asks the user to extract and provide a browser session cookie, while the registry metadata declares no required environment variables or primary credential.
export XQ_A_TOKEN="xq_a_token的值" ... F12 → Application → Cookies → 复制 `xq_a_token` 值。
Only provide the token if you trust the skill source. Consider using a separate account or revoking/refreshing the cookie after use, and the skill should declare this credential requirement in metadata.
Installing the skill may pull and run third-party packages and browser components on the local system.
The user-directed installer downloads npm dependencies and a Chromium browser at install time; this is expected for the skill’s browser automation, but it adds normal supply-chain/provenance risk.
npm install --save playwright-extra puppeteer-extra-plugin-stealth ... npx playwright install chromium
Review install.sh and package.json before running, install in an isolated environment if possible, and prefer pinned dependencies or a lockfile.