ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Global Market Feed

v1.0.1

Real-time stock market data via QuoteNode API. Query quotes, K-lines, tick trades, Level-2 depth, and trading calendars for US/HK/CN markets.

0· 200·0 current·0 all-time
by@fengxiaozi-liu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name/description align with the included code and docs (it implements a generic POST caller for QuoteNode REST endpoints). However, the registry metadata declares no required credentials/config, while both SKILL.md and scripts/request.mjs expect an endpoint and an apiKey in a local env.json — this is an inconsistency (the skill needs secrets but doesn't advertise them).
!
Instruction Scope
The runtime instructions are narrowly scoped: the script only reads a local datatk-quote-skill/env.json, validates the endpoint (https and datatk.com allowlist), checks the path starts with /Api/, and POSTs JSON to the allowlisted domain. That scope is appropriate for a market-data integration. Two issues: SKILL.md's quick-start uses a filename `env.json.example` while the package contains `env.example.json` (typo), and the SKILL.md/registry do not declare that the skill requires storing an API key locally.
Install Mechanism
There is no install spec (instruction-only skill with a small utility script). Nothing is downloaded or written by an installer. Risk from install mechanism is low.
!
Credentials
The script requires an API key and endpoint (stored in datatk-quote-skill/env.json) but the skill metadata lists no required env vars or primary credential — a mismatch. The API key is a sensitive secret; the skill reads it from a local file rather than from declared platform-managed credentials, which increases the chance of accidental exposure if users commit or share the file.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not modify other skills or system settings. It runs on demand and does not persist elevated privileges.
What to consider before installing
This skill appears to be a small, focused REST client for QuoteNode, but there are a few things to check before installing: - Expect to provide two secrets: an endpoint URL and an API key. The code reads these from datatk-quote-skill/env.json, but the registry metadata did not declare any required credentials — confirm where you must store the API key and treat it as a secret. - Fix the example filename mismatch: SKILL.md suggests env.json.example, but the repository includes env.example.json. Ensure you create datatk-quote-skill/env.json with the correct keys (endpoint and apiKey) and do not commit it to source control. - The script contains safety checks: it requires HTTPS, disallows raw IPs, and allowlists datatk.com domains. Review that allowlist if you intend to use a private gateway. - Because the API key is stored locally (not a declared platform credential), be careful about backups, repositories, or logs that might include it. Prefer using platform-managed secrets if available. - You can test the script locally (node scripts/request.mjs --path /Api/V1/... --body '{...}') to confirm behavior. If you rely on automated agent invocation, consider whether you want the agent to have access to the local env.json; if not, do not enable autonomous invocation for this skill. If you need, I can produce a short checklist or patch suggestions to: (1) correct the example filename, and (2) update the skill metadata to declare the required credential so the platform can handle it more safely.
!
scripts/request.mjs:3
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk977k2crdf4dzcx3g7va98xbg582pky9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments