Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Pensions
v0.1.1提供商业养老保险分析、养老金账户模拟、退休收入测算及理财组合建议。
⭐ 0· 103·0 current·0 all-time
byClawKK@codekungfu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to analyze commercial pension insurance, simulate pension accounts, export transaction history, and perform sub-hourly syncing with personal account changes. However, the package requests no credentials, has no install steps, and provides no integration details (APIs, banks, brokers) that would be required to access personal financial data or perform automated syncing.
Instruction Scope
SKILL.md outlines filters, return fields, example prompts and promises daily/sub-hour synchronization with market and personal account changes and exports of transaction statements. It does not include any concrete runtime instructions for how to obtain market data, connect to user accounts, authenticate, or where exported statements are written or transmitted. That gap means the instructions either assume out-of-band access to sensitive data or are incomplete.
Install Mechanism
No install spec or code is included (instruction-only). This minimizes immediate filesystem or network install risk, but also reinforces that required integrations are not documented.
Credentials
The declared manifest lists no environment variables, credentials, or config paths — yet the skill's capabilities (transaction exports, account sync) normally require bank/broker credentials or API keys. The lack of declared secrets is disproportionate to the stated functionality and is a gap that needs explanation.
Persistence & Privilege
always is false and there are no install scripts. However, the SKILL.md promise of 'sub-hour level sync' implies periodic/background access which is not reflected in the manifest. If the skill later adds autonomous syncing or requests long-lived credentials, the privilege and blast radius would increase.
What to consider before installing
This skill claims to read personal pension/account data and keep sub-hourly synchronized views but provides no details on how it would access market feeds or your accounts (no required API keys, no integration docs, no install). Before installing or using it: 1) Ask the developer to explain exactly how it connects to market data and user accounts, what credentials it requires, and where exported statements are stored/transmitted. 2) Do not provide bank/broker credentials or tokens until you see a clear, documented integration (API endpoints, OAuth flows, or official partner info). 3) Prefer a sandbox or disposable test account for initial trials. 4) Request a privacy/data-retention policy and whether data is sent to third-party endpoints. The current manifest is incomplete and should be clarified before trusting it with sensitive financial data.Like a lobster shell, security has layers — review code before you run it.
latestvk978wznnajvqnej0a3v7a7k4b9834ge2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.