Industry Research Agent
Security checks across malware telemetry and agentic risk
Overview
This appears to be a legitimate report-generation skill, but it will run a local Python script, use your Eastmoney API key, send the industry topic to Eastmoney, and save report files.
This skill looks coherent for generating industry reports. Before installing, make sure you trust the Eastmoney API integration, configure EM_API_KEY only in a trusted environment, choose an appropriate local output directory for generated PDF/DOCX files, and avoid including confidential details in the industry topic unless you are comfortable sending them to the external service.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using the skill requires granting it access to an Eastmoney API credential.
The script requires an API key and sends it as an authentication header to the Eastmoney service. This is expected for the stated purpose, but it is still sensitive credential use.
EM_API_KEY = os.environ.get("EM_API_KEY", "") ... headers={"Content-Type": "application/json", "em_api_key": EM_API_KEY}Use a dedicated, least-privileged API key if available, keep it in environment variables only, and do not paste it into chats or logs.
The skill will run local Python code when generating a report.
The skill instructs the agent to run the included Python script with a model-extracted topic. This is central to the skill and not hidden, but users should know local code will execute.
python3 {baseDir}/scripts/get_data.py --query "{{topic}}"Install only if you are comfortable running the included script and have reviewed the configured output location.
A future install may receive whatever httpx version is current in the package index.
The skill documents installation of the httpx dependency without a pinned version. This is a normal dependency for HTTP API access, but unpinned packages have weaker reproducibility.
"package": "httpx" ... pip3 install httpx --user
If reproducibility matters, pin and review dependency versions in your environment.
The industry topic you ask about is sent to Eastmoney, and the generated report may include a service-provided sharing link.
The script sends the user-derived industry query to a fixed external Eastmoney service and returns a share_url. This is disclosed and purpose-aligned, but it is an external data flow.
MCP_URL = "https://ai-saas.eastmoney.com/proxy/app-robo-advisor-api/assistant/write/industry/research" ... client.post(MCP_URL, json={"query": query}, headers={...})Avoid putting confidential business details into the topic unless you are comfortable sending them to the Eastmoney service, and verify any returned share link before opening or forwarding it.