Initiation of Coverage Agent
Security checks across malware telemetry and agentic risk
Overview
This skill appears purpose-aligned, but it uses an EastMoney API key, sends the user’s query to an external EastMoney service, installs a Python dependency, and saves generated report files locally.
Install this only if you trust the skill source and are comfortable using an EastMoney API key. Do not include confidential information in prompts unless it may be sent to the external report service, and keep the generated PDF/DOCX output directory in a location you control.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill runs local code to complete the report request and passes the user’s prompt into that code.
The skill asks the agent to run a local Python helper with the user’s raw query as an argument. This is central to the skill’s purpose, but it should be invoked with safe argument passing rather than unsafe shell interpolation.
python3 {baseDir}/scripts/generate_deep_research_report.py --query "用户原始问句"Use the provided script only for this report workflow, pass the query as a properly escaped argument, and do not run modified helper scripts from untrusted sources.
Anyone running the skill must provide an EastMoney API key, which may authorize access to the report service under that account.
The script requires a sensitive EastMoney API key and sends it as an authentication header to the report-generation endpoint. This is expected for the declared integration and no hardcoded key or unrelated credential use is shown.
EM_API_KEY = os.environ.get("EM_API_KEY", "") ... "em_api_key": EM_API_KEYUse a dedicated or least-privilege API key if available, keep it out of shared logs and prompts, and rotate it if you suspect exposure.
A future install may resolve a different httpx version than the one the author tested.
The skill documents installing the Python dependency httpx without a pinned version. This dependency is expected for the HTTP API call, but the package version is not locked in the artifact.
"package": "httpx" ... pip3 install httpx --user
Install dependencies from a trusted Python package index and consider pinning a reviewed httpx version in controlled environments.
The company name, stock code, and any extra details included in the prompt are shared with the external report-generation provider.
The helper sends the user’s report query to an external EastMoney API endpoint and receives generated report content, attachments, and a share URL. This is disclosed and purpose-aligned.
FIRST_COVERAGE_URL = "https://ai-saas.eastmoney.com/proxy/app-robo-advisor-api/assistant/write/initial-coverage" ... json={"query": query}Avoid including confidential or non-public information in the query unless you are comfortable sharing it with the EastMoney-backed service.