Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Iran War Tracker
v1.1.2高频获取2026年3月开始的伊朗战争的最新动态,分析局势进展和风险资产交易线索。生成结构化的伊朗局势分析报告,关注战争动态、霍尔木兹海峡通航状况、油气供应风险及市场反应。 This skill generates structured Iran situation reports focused on war d...
⭐ 0· 180·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code (news search, CLS/Jin10 telegraph fetchers, stooq/Coingecko asset fetchers, prompt builder, and AI client) aligns with the stated goal of high-frequency Iran conflict reporting and market signal extraction. Using a model endpoint to synthesize reports is expected. However, the skill is packaged with code that will use optional external services (Tavily, local model-search endpoints, OpenAI/compatible endpoints) if environment variables are present — functionality that is plausible for the purpose but not declared in the metadata.
Instruction Scope
SKILL.md requires loading a remote analysis framework (Gist) with fallback to a local markdown, performing news searches, pulling CLS/Jin10 telegraph feeds, and collecting several risk-asset feeds. The runtime scripts implement these steps and follow the hard rules specified in SKILL.md. No instructions in SKILL.md ask the agent to read unrelated system files or exfiltrate data; the behavior stays within the reporting/aggregation scope.
Install Mechanism
There is no install spec — this is an instruction-and-script package; nothing is downloaded during install. That lowers supply-chain risk. The repository does fetch remote runtime data (Gist, Jin10, CLS, Tavily, stooq, Coingecko, DuckDuckGo) at runtime, which is expected for a live-tracking tool.
Credentials
The skill metadata declares no required environment variables, but the code reads multiple optional env vars that materially change runtime behavior and network targets: OPENCLAW_MODEL_ENDPOINT, OPENAI_API_KEY, OPENAI_BASE_URL, OPENCLAW_SESSION, LLM_API_KEY, LLM_API_BASE, OPENCLAW_SEARCH_URL, OPENCLAW_API_KEY, and TAVILY_API_KEY. If any of these are set, the skill will forward the assembled prompt and context to those endpoints (including arbitrary model endpoints configured via OPENCLAW_MODEL_ENDPOINT or OPENCLAW_SEARCH_URL). That creates a credible path for sensitive context (news, telegraph snippets, market data, and the full report prompt) to be transmitted to third parties without being declared as required credentials — a proportionality and transparency gap the user should consider.
Persistence & Privilege
The skill is not always-enabled and does not request permanent system-level privileges in its manifest. It does not modify other skills' configs. Autonomous invocation (model calling itself) is allowed by default but not combined with an 'always:true' flag or other elevated persistence requests.
What to consider before installing
This skill is functionally coherent for generating Iran conflict reports, but be cautious: it will try to use any model/search API keys or custom endpoints present in your environment (OPENAI_API_KEY, OPENCLAW_MODEL_ENDPOINT, OPENCLAW_SEARCH_URL, TAVILY_API_KEY, etc.). That means the full assembled prompt + collected context could be sent to those endpoints. Also the skill prefers loading a remote Gist at runtime (the analysis framework), so its behavior/content can change if that Gist is updated. Before installing or running: (1) review the code yourself or run it in a network-restricted sandbox; (2) avoid setting API keys or custom model endpoints you don't trust; (3) if you need model functionality, prefer trusted provider credentials and review the ai_client target URL; (4) consider whether you are comfortable with the skill fetching external telegraph/news endpoints at runtime. If you want a lower-risk setup, run the scripts locally with network access restricted and keep the framework file local so nothing remote can change behavior unexpectedly.Like a lobster shell, security has layers — review code before you run it.
latestvk97f4y2wsmd3cfxrd7zfj3zg3x83vkb8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.