Skillv1.0.0

ClawScan security

commercial-market-report · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 24, 2026, 4:10 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions clearly require multiple external API keys and local config access (e.g., ~/.openclaw/.env and Chrome remote-debugging) but the registry metadata declares no required credentials—this mismatch and the web-scraping setup merit caution before installing.
Guidance: Before installing or running this skill, consider the following: 1) The SKILL.md requires API keys (Tavily, Amap, possibly BRAVE_SEARCH) and instructs reading ~/.openclaw/.env, but the skill metadata declares no required env vars—ask the author to explicitly list required credentials and explain how they are used and stored. 2) The skill performs web scraping (Xiaohongshu via Chrome remote-debugging and Sogou via web_fetch). Enabling Chrome with --remote-debugging-port exposes browser debugging endpoints—only do this in a controlled/sandboxed environment and avoid exposing personal profiles or active logins. 3) Verify where API keys are sent: the scripts included are local and do not show outbound network calls, but the instructions expect the agent to call external APIs; confirm that keys will not be exfiltrated to unknown endpoints and that TLS and proper Authorization headers are used. 4) If you must provide API keys, prefer scoping them with least privilege and use short-lived or restricted credentials if possible. 5) Ask the author to update the skill metadata to declare required env vars and to document data retention, logging, and any external third-party skills invoked (e.g., amap-lbs-skill, multi-search-engine). 6) If you cannot get satisfactory answers, run the skill in an isolated environment (separate user account or VM) and do not enable remote debugging on a machine with sensitive data.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose (generate market reports) legitimately requires external data (maps, market search). The SKILL.md instructs use of Tavily, 高德 (Amap), multi-search-engine, Sogou Weixin and browser scraping of Xiaohongshu—these are in-scope. However the package metadata declares no required env vars/credentials while the instructions and references explicitly expect API keys (TAVILY_API_KEY, AMAP keys, BRAVE_SEARCH_API_KEY). That mismatch between claimed requirements and actual needed credentials is incoherent and risky.
Instruction Scope: concernRuntime instructions direct the agent to: call Tavily API with a bearer token (curl example), use amap-lbs-skill for POI/traffic queries, run web_fetch against Sogou Weixin, and perform browser scraping of Xiaohongshu via Chrome remote debugging. The SKILL.md also instructs reading an .env file in the user's home (~/.openclaw/.env) for API keys. Those actions involve network calls and local config access beyond pure document generation and require explicit consent and declared requirements; the instructions do not make clear how keys are handled or whether any scraped pages / results are sent to third-party endpoints beyond the listed APIs.
Install Mechanism: okThere is no install spec (instruction-only deployment) and included code files are local Python scripts that generate docx/html/pptx and charts. No external installer or arbitrary download URLs are used. This is lower risk from an install mechanism perspective.
Credentials: concernThe skill expects multiple API keys (TAVILY_API_KEY explicitly; references also mention AMAP_WEBSERVICE_KEY, AMAP_JSAPI_KEY, BRAVE_SEARCH_API_KEY) but the skill metadata declares no required env vars or primary credential. Asking to read ~/.openclaw/.env for keys and to use them in curl/web requests is sensitive and should be declared; the current omission is disproportionate and inconsistent.
Persistence & Privilege: okThe skill is not marked always:true and does not request permanent platform presence. Included scripts write only local output files and do not attempt to modify other skills or system-wide configs. No privileged persistence behavior is requested in the manifest or SKILL.md.