财经监控
ReviewAudited by ClawScan on May 10, 2026.
Overview
This finance quote skill mostly matches its stated purpose, but it is configured to send reports to a hard-coded WeChat channel that may not belong to the installer.
Install only if you trust or can change the hard-coded WeChat destination. Before use, edit the skill to send reports only to your chosen channel and require confirmation for each push. The web/API quote lookups themselves appear aligned with the finance-monitoring purpose, and no trading actions or credential handling are shown.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your stock or commodity queries and resulting reports could be sent to an unintended WeChat recipient.
The workflow sends generated finance reports to a specific hard-coded WeChat session, with no artifact evidence that the installer chooses or confirms this destination.
使用 copaw channels send 推送到用户微信;目标:session_id=weixin:o9cq8012x7_zwZtDYePv8bo7qxLM
Remove the hard-coded session_id, require the user to configure the destination channel, and ask for confirmation before sending reports outside the chat.
When invoked, the agent may browse public finance pages or run scoped curl requests to fetch market data.
The skill instructs the agent to use browser automation and a curl command to retrieve finance data. This is expected for the stated quote-monitoring purpose, but it is still external tool and network use.
访问财经网站(必须使用 browser_use) ... curl -s -A "Mozilla/5.0" "https://zh.tradingeconomics.com/commodity/crude-oil"
Keep these requests limited to user-requested instruments and known finance-data URLs; avoid turning user text directly into arbitrary URLs or shell commands.