Openclaw Wealth Guide
v1.0.0自动采集、处理多种数据源并导出JSON、CSV、Excel等格式,支持定时任务及OpenClaw无缝集成,适合中国市场。
⭐ 0· 84·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (智能数据采集器) matches the files and code: adapters for web/API/file/database, processors, exporters, scheduler, and OpenClaw integration. Declared dependencies (requests, bs4, pandas, APScheduler, SQLAlchemy, cryptography) are plausible for this functionality. The skill manifest, examples, and wrapper all align with the described purpose.
Instruction Scope
SKILL.md only instructs cloning the repo, installing Python deps, and configuring OpenClaw — all within the expected scope. It does not request unrelated system data or external endpoints beyond standard OpenClaw URLs and example sites. That said, runtime examples and helper scripts call external network resources (scraping targets, OpenClaw API endpoints) which is expected for a harvester but means the skill will make outbound HTTP calls when used. The documentation also contains a couple of small typos/incorrect commands (e.g., "uv pip install" and some example imports) and some example code assumes network access.
Install Mechanism
There is no platform install spec (instruction-only in registry), but the package includes full source and build scripts. Manual install instructions use git + pip which is standard. Build and helper scripts use subprocess.run with shell=True (scripts/build_package.py, scripts/init_git_repo.py), which is common for build tooling but increases risk if user-supplied input is passed into those commands later — recommend reviewing scripts before running and executing them in an isolated environment.
Credentials
The skill declares no required environment variables or credentials. Adapter code supports auth/config values supplied in YAML or runtime configuration (expected). There are no hard-coded external secrets or requests for unrelated cloud credentials in the manifest or SKILL.md.
Persistence & Privilege
Skill flags show default privileges (always: false, model invocation not disabled). The package contains code that writes output, creates packages, and can initialize a git repo (intended behavior), but it does not request persistent elevated platform privileges or modify other skills' configs.
Assessment
This repository appears to be a legitimate data‑harvester/OpenClaw integration. Before installing or running it:
- Review and run it in a virtual environment or isolated machine (e.g., VM or container). It performs network I/O (web/API scraping) and will make outbound HTTP requests.
- Inspect scripts/build_package.py and scripts/init_git_repo.py before running; they execute shell commands (subprocess.run with shell=True). Don’t run build/init scripts with elevated privileges or on production hosts without review.
- Provide credentials (DB/API keys) only via configuration files you control; the project does not request environment secrets but adapters accept auth in config — avoid storing secrets in unencrypted files.
- Verify upstream source if you need to trust updates (repo URLs point to Gitee/GitHub usernames that you may want to confirm). The codebase has minor typos and import inaccuracies in examples — treat examples as illustrative, not production-ready.
- Pin and audit dependencies (requirements.txt includes many heavy packages); consider installing dependencies in a venv and scanning them with your usual supply-chain tools.
If you want deeper assurance, ask for a full review of the remaining omitted source files (the scan truncated 26 files) or a dependency SBOM and runtime network/call list to check for unexpected endpoints.Like a lobster shell, security has layers — review code before you run it.
latestvk977te9gvy7zy1ws4wgynk2zx184he0z
License
MIT-0
Free to use, modify, and redistribute. No attribution required.