蜂兵虾将
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: bingbingxiajiang Version: 1.4.1 The skill is classified as suspicious due to significant prompt injection vulnerabilities and broad tool capabilities. Specifically, the `AGENT_PROMPTS.md` instructs the 'Information Guardian Agent' to use `web_search` and `extract_content_from_websites` tools to collect 'user-specified information' without clear sandboxing or URL filtering. This allows an attacker to potentially prompt the agent to search for sensitive internal data or interact with malicious external websites. Additionally, the `SKILL.md` defines an automatic memory system that reads and writes user profiles and long-term memory from files within the workspace, which could be a prompt injection vector if these files are tampered with. While the core JavaScript code implements the memory system with extensive file system access, it appears confined to the skill's designated directories and does not exhibit direct malicious intent. The identified issues are vulnerabilities that *allow* attacks, rather than proof of intentional malicious behavior by the skill itself.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your preferences, monitored industries, and interaction history may be stored and reused in future conversations, and inaccurate or poisoned memory could influence later outputs.
The skill requires automatic cross-session reading and writing of user profile, session history, and long-term memory every time it runs.
“每次执行自动运行” ... “读取 /workspace/memory/profiles/user_profile.json” ... “更新 /workspace/memory/profiles/user_profile.json” ... “更新 MEMORY.md(如有重要内容)”
Use only if you are comfortable with persistent memory. Prefer an isolated workspace, inspect memory files periodically, and ask the skill to confirm before saving or updating long-term memory.
Search results and extracted pages can be inaccurate, untrusted, or manipulated, so reports may reflect unreliable source material.
The skill expects the agent to use web search and webpage extraction across multiple platforms, which is purpose-aligned for hotspot monitoring but still involves external content retrieval.
“使用web_search进行多平台搜索” and “使用extract_content_from_websites提取详细内容”
Require citations, treat retrieved webpages as untrusted data, and manually verify important financial, medical, or business conclusions.
Running the demos may execute local package code and installed dependencies on your machine.
The README documents local dependency installation and JavaScript execution even though the registry lists no install spec. This is a transparency/provenance note, not evidence of malicious behavior.
“npm install” and “node demo.js”
Review package.json and package-lock.json, run demos in a sandboxed project directory, and avoid executing code from unknown sources without inspection.
Users may over-trust trend predictions or opportunity reports, especially in finance, healthcare, or business contexts.
The skill uses strong marketing language around earning money and unattended automation, while the artifacts do not show a bounded scheduler or safety controls for high-stakes domains.
“替你干活,帮你赚钱” ... “自动执行不用盯” ... “每天上午10点、下午4点自动打报告,你躺着数机会就行。”
Treat these claims as marketing; keep human review in the loop and do not rely on the skill alone for high-stakes decisions.