ClawHub
Back to skill
v1.0.0

中国官方经济资讯

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:29 AM.

Analysis

The skill appears to fetch public Chinese economic news as described, with minor caveats around its fallback script, undeclared dependencies, and source-verification robustness.

GuidanceThis looks safe for fetching public economic news. Before installing, be aware that the fallback script may run locally, may require installing Python dependencies, and should not be treated as a perfectly guaranteed official-only feed unless its domain and TLS checks are strengthened.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution
SeverityInfoConfidenceHighStatusNote
SKILL.md
策略 C — 脚本工具(兜底):运行 `scripts/fetch_news.py`。 ... python3 scripts/fetch_news.py --limit 15 --keyword 经济

The skill may run an included Python script as a fallback. This is disclosed and aligned with fetching public news, but users should know local command execution is part of the workflow.

User impactIf the web tools are unavailable, the agent may execute the bundled script to fetch public news results.
RecommendationKeep script execution user-visible, and review the included script before relying on the fallback.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
scripts/fetch_news.py
try:
    import requests
except ImportError:
    print("需要安装依赖: pip3 install requests", file=sys.stderr)

The fallback script depends on an external Python package, but the metadata declares no required binaries, environment variables, or install spec. This is a setup/provenance gap rather than hidden behavior.

User impactThe fallback may not work until dependencies are installed, and manual package installation carries normal package-source trust considerations.
RecommendationDeclare Python/package requirements in install metadata or a requirements file, and pin dependency versions where practical.
Human-Agent Trust Exploitation
SeverityLowConfidenceHighStatusNote
scripts/fetch_news.py
# site: 限定官方域名,确保质量 ... if url and not any(site in url for site in OFFICIAL_SITES): return True ... requests.get(feed["url"], headers=HEADERS, timeout=10, verify=False)

The skill emphasizes official-only sourcing, but the fallback script uses substring URL matching and disables TLS certificate verification for RSS fetching. That makes source authenticity best-effort rather than strongly enforced.

User impactReturned links are intended to be official, but a misleading URL or network tampering could reduce trust in the results; no private data exposure is evidenced.
RecommendationValidate parsed hostnames against exact approved domains or subdomains, keep TLS verification enabled, and verify important news links before relying on them.