Skillv1.0.1

ClawScan security

Trump Sentiment · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 30, 2026, 2:29 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions broadly match a Trump舆情 / market-sentiment collector, but there are inconsistencies and one prompt‑injection signal (base64‑block) plus unclear handling of message/notification credentials and some unusual external URLs that warrant caution.
Guidance: This skill mostly does what it says (collect posts from Truth Social / X / Google News and produce an investment‑oriented report), but several things don’t add up. Before installing or using it: (1) Ask the publisher for a homepage/source and why pre-captured data files are bundled; verify there is no sensitive or PII data in those files. (2) Inspect SKILL.md for the flagged base64 block and remove or decode and audit its contents — do not run hidden payloads. (3) Clarify how Feishu (推送飞书) notifications are delivered — require explicit Feishu API credentials or configuration rather than relying on implicit platform access. (4) Review and vet any unusual external endpoints (e.g., xcancel.com) used to fetch data. (5) If you will allow autonomous runs, ensure the agent’s browser/tool integrations are sandboxed and that sending messages to your org (Feishu) requires an explicit, auditable credential. If you cannot validate the base64 payload or the origin of the packaged data, do not enable the skill in environments with sensitive data or production trading signals.
Findings: [base64-block] unexpected: A base64-block pattern was detected in SKILL.md content by the pre-scan. Base64 payloads inside an instruction file are not expected for a straightforward data‑collection/report skill and can be used for prompt injection or hidden content; this should be inspected and removed if unnecessary.

Review Dimensions

Purpose & Capability: noteName and SKILL.md describe collecting posts from Truth Social / X / Google News and correlating with market reaction — the bundled data files and small validation script are consistent with a data‑driven sentiment tool. However the instructions reference pushing results to Feishu and using a browser profile (profile=openclaw) while the skill declares no required credentials or config paths — that credential/notification gap is an inconsistency (where do Feishu credentials come from?). Also multiple packaged data files reference xcancel.com (an unexpected aggregator domain) which is not a standard news API; this is unusual but could be an aggregator.
Instruction Scope: concernSKILL.md explicitly instructs the agent to open external websites (Truth Social, Google News RSS/search, X), extract posts, take screenshots and push analysis to Feishu — all within the stated purpose. But the pre-scan found a 'base64-block' prompt‑injection pattern in SKILL.md content (not expected for a simple workflow) which could attempt to manipulate an LLM at runtime. The instructions do not tell the agent to read local files, but the skill package includes many captured data files and reports; that increases risk if the agent is permitted to access packaged data without restrictions.
Install Mechanism: okThere is no install spec (instruction-only), so nothing is downloaded or executed during install. That is low-risk. A small python script (validate_json.py) and many data files are included in the package, but no runtime installers or external downloads are declared.
Credentials: concernThe skill declares no required environment variables or credentials, yet the workflow calls for sending messages to Feishu (飞书) and collecting market reaction metrics. Either the skill relies on platform-provided integrations (not documented) or it expects credentials to be supplied implicitly — this is a mismatch. Also several data items reference third‑party aggregator domains (xcancel.com) and many archived captures are packaged; the presence of many data files may include sensitive content and is disproportionate unless the user expects pre-populated historical data.
Persistence & Privilege: okalways:false and no install hooks or modifications to other skills are present. The skill does not request persistent system privileges. Autonomous invocation remains possible (platform default) but is not combined here with elevated privileges.