蜂兵虾将
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your preferences, monitored industries, and interaction history may be stored and reused in future conversations, and inaccurate or poisoned memory could influence later outputs.
The skill requires automatic cross-session reading and writing of user profile, session history, and long-term memory every time it runs.
“每次执行自动运行” ... “读取 /workspace/memory/profiles/user_profile.json” ... “更新 /workspace/memory/profiles/user_profile.json” ... “更新 MEMORY.md(如有重要内容)”
Use only if you are comfortable with persistent memory. Prefer an isolated workspace, inspect memory files periodically, and ask the skill to confirm before saving or updating long-term memory.
Search results and extracted pages can be inaccurate, untrusted, or manipulated, so reports may reflect unreliable source material.
The skill expects the agent to use web search and webpage extraction across multiple platforms, which is purpose-aligned for hotspot monitoring but still involves external content retrieval.
“使用web_search进行多平台搜索” and “使用extract_content_from_websites提取详细内容”
Require citations, treat retrieved webpages as untrusted data, and manually verify important financial, medical, or business conclusions.
Running the demos may execute local package code and installed dependencies on your machine.
The README documents local dependency installation and JavaScript execution even though the registry lists no install spec. This is a transparency/provenance note, not evidence of malicious behavior.
“npm install” and “node demo.js”
Review package.json and package-lock.json, run demos in a sandboxed project directory, and avoid executing code from unknown sources without inspection.
Users may over-trust trend predictions or opportunity reports, especially in finance, healthcare, or business contexts.
The skill uses strong marketing language around earning money and unattended automation, while the artifacts do not show a bounded scheduler or safety controls for high-stakes domains.
“替你干活,帮你赚钱” ... “自动执行不用盯” ... “每天上午10点、下午4点自动打报告,你躺着数机会就行。”
Treat these claims as marketing; keep human review in the loop and do not rely on the skill alone for high-stakes decisions.