ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

pywencai

v1.0.3

同花顺问财自然语言数据查询工具 - 使用中文自然语言查询A股、指数、基金、港美股、可转债等市场数据。

1· 475·1 current·1 all-time
by@coderwpf
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's name/description (natural-language queries against 同花顺问财/iwencai) align with the included docs and demo. Requiring python3 and node is plausible (the underlying pywencai library runs JS). Nothing else in the package claims unrelated capabilities.
!
Instruction Scope
SKILL.md clearly instructs the user to extract and supply an iwencai Cookie (sensitive secret) and shows how to pass it to pywencai.get. That is within the tool's stated purpose but is sensitive. There is an inconsistency: demo_project/demo.py calls pywencai.get without passing a cookie, contradicting SKILL.md which marks cookie as required. The instructions also suggest passing proxies and retry loops — normal, but potentially able to forward network traffic if misused.
Install Mechanism
This is an instruction-only skill with no install spec (lowest install risk). It references pip-installing the pywencai package (a normal public package). No downloaded URLs or archive extraction are present in the skill bundle.
!
Credentials
The skill requires an iwencai Cookie (sensitive session credential), which is logically necessary for the described functionality. However, the metadata is inconsistent about environment variables: the top-level registry metadata lists no required env vars, while metadata.json (openclaw.requires.env) lists WENCAI_COOKIE. This mismatch is a packaging/manifest coherence problem that could lead to accidental exposure or confusion about where to place credentials.
Persistence & Privilege
The skill does not request persistent or elevated platform privileges (always:false). It does not modify other skills or system-wide settings in the provided files.
What to consider before installing
This skill appears to do what it claims (query iwencai with a browser cookie), but there are several packaging inconsistencies you should resolve before use. Recommendations: - Verify the upstream project (https://github.com/zsrl/pywencai) and confirm the package version you plan to pip install matches the skill bundle. - Do not paste your iwencai cookie into public logs or share it; treat it as a secret. Prefer setting it as an environment variable (WENCAI_COOKIE) rather than embedding it in code, if the library supports that. - Confirm whether node is actually needed in your environment (installing node enables the library's JS path) and run in an isolated environment (container/VM) if you must supply a real cookie. - Ask the publisher to fix manifest inconsistencies (registry metadata vs metadata.json vs SKILL.md vs demo) and to update demo.py to explicitly show cookie usage so requirement expectations are clear. - If in doubt, create a throwaway iwencai account/cookie when testing, and audit network traffic (e.g., via proxy) to confirm requests go only to iwencai endpoints before using any production credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c9w67dkr4vegp69krtwjrq583e34m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis
Binspython3, node

Comments