Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Daily Finance
v1.1.0获取每日财经热榜与投资资讯。当用户提到今日财经、每日金融、股市热榜、投资资讯、金融日报、每日行情、财经热榜、or daily finance/market news时触发。专门抓取华尔街见闻、雪球、第一财经、百度财经、新浪财经等平台的财经热搜,帮助用户快速了解今日投资焦点。不包含实时行情数据(K线等),那是aks...
⭐ 0· 75·1 current·1 all-time
by@foxxc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description describe aggregating daily finance hotlists; the SKILL.md contains explicit web_fetch calls to relevant tophub.today endpoints and optional akshare guidance for deeper market data. No unrelated credentials, binaries, or installs are requested — the requested capabilities align with the stated purpose.
Instruction Scope
Instructions explicitly direct the agent to fetch multiple external news pages and to filter/curate results, which is expected. However the SKILL.md also instructs '不标注来源(用户知道来源)' (do not label the source), which reduces provenance/transparency and is unusual for an aggregator; the file places no limits on fetch frequency, error handling, or legal/terms-of-service considerations for scraping. The instructions otherwise stay within the stated domain (no file system or unrelated environment access).
Install Mechanism
Instruction-only skill with no install step or third-party downloads. Optional guidance to 'pip install akshare' is presented as user choice. No risky install mechanisms detected.
Credentials
No environment variables, credentials, or config paths are requested. The optional akshare recommendation is reasonable for users who want real-time market data and is not required by the skill.
Persistence & Privilege
Skill is not always-enabled and does not request persistent system privileges or modifications to other skills. It permits autonomous invocation (platform default), but that is not combined with broad credentials or other red flags.
What to consider before installing
This skill appears to do what it says — fetch and curate finance hotlists — and it requires no credentials or installs. Before enabling it, consider: 1) provenance: the instructions explicitly tell the agent to omit source attribution; ask for source labels if you want traceability and to evaluate bias/accuracy; 2) scraping legality and reliability: fetching external pages may run afoul of a site's terms of service or be blocked/rate-limited; consider adding backoff, error handling, or using official APIs where possible; 3) misinformation risk: the skill instructs '只讲事实' but summaries can still introduce interpretation — verify important items against primary sources; 4) optional akshare: installing it gives richer real-time data but is a separate dependency you should vet before installing. If you want higher assurance, request the author to (a) include explicit provenance in outputs, (b) document fetch cadence and error handling, and (c) provide an install or API-backed data source rather than blind scraping.Like a lobster shell, security has layers — review code before you run it.
chinavk974v328n780wg4x936w4pmd6d83hsnrdailyvk974v328n780wg4x936w4pmd6d83hsnrfinancevk974v328n780wg4x936w4pmd6d83hsnrlatestvk974v328n780wg4x936w4pmd6d83hsnrmarketvk974v328n780wg4x936w4pmd6d83hsnrnewsvk974v328n780wg4x936w4pmd6d83hsnr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.