ClawHub

云梦A股数据获取Skill

Security checks across malware telemetry and agentic risk

Overview

The skill code appears to fetch public A-share market data, but its install metadata includes mismatched and unpinned dependencies that should be reviewed before installation.

Review or remove the package.json dependency declarations before installing, and install in an isolated Python environment with pinned, vetted versions. The runtime behavior appears limited to public finance data requests, but the dependency metadata needs maintainer attention.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (8)

Unpinned Dependencies

Low
Category
Supply Chain
Content
"author": "OpenClaw",
  "license": "MIT",
  "dependencies": {
    "pandas": "^2.0.0",
    "requests": "^2.31.0",
    "beautifulsoup4": "^4.12.0"
  }
Confidence
85% confidence
Finding
"pandas": "^2.0.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"license": "MIT",
  "dependencies": {
    "pandas": "^2.0.0",
    "requests": "^2.31.0",
    "beautifulsoup4": "^4.12.0"
  }
}
Confidence
86% confidence
Finding
"requests": "^2.31.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "pandas": "^2.0.0",
    "requests": "^2.31.0",
    "beautifulsoup4": "^4.12.0"
  }
}
Confidence
97% confidence
Finding
"beautifulsoup4": "^4.12.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
pandas
requests
beautifulsoup4
Confidence
98% confidence
Finding
pandas

Unpinned Dependencies

Low
Category
Supply Chain
Content
pandas
requests
beautifulsoup4
Confidence
98% confidence
Finding
requests

Unpinned Dependencies

Low
Category
Supply Chain
Content
pandas
requests
beautifulsoup4
Confidence
98% confidence
Finding
beautifulsoup4

Known Vulnerable Dependency: beautifulsoup4==4.12.0 — 1 advisory(ies): MAL-2025-3615 (Malicious code in beautifulsoup4 (npm))

High
Category
Supply Chain
Confidence
99% confidence
Finding
beautifulsoup4==4.12.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
92% confidence
Finding
requests

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal