ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

mx-个股跟踪

v1.0.4

生成行业或个股跟踪报告。当用户明确要求“报告/研报/跟踪分析/周报/月报/日报”, 或提到具体行业、板块、指数、股票名称/代码并希望系统输出结构化跟踪内容时触发。 典型表达包括“写一份XX行业报告”“跟踪XX股票”“生成XX研报”“看看XX最近怎么样并出报告”。

0· 62·0 current·0 all-time
byGingin@gracexiaoo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill name/description match the behavior: the SKILL.md instructs running scripts/generate_industry_stock_tracker_report.py, and that script calls an external reporting API to produce a structured JSON report and optionally base64-encoded PDF/DOCX attachments. Requesting an API key (EM_API_KEY) is appropriate for this purpose.
Instruction Scope
SKILL.md confines the agent to passing the user's query to the script synchronously and returning the script's stdout JSON without rewriting report content. The script only performs an HTTP POST to the declared API endpoint, decodes attachments, and writes them to disk. It does not read unrelated system files or harvest other environment variables (aside from an optional output-dir override in code).
Install Mechanism
This is an instruction-only skill with a single included script and no install spec. Nothing is downloaded or installed at runtime by the skill itself, which minimizes install-time risk.
Credentials
The only declared required env var is EM_API_KEY, which the script uses as an HTTP header to authenticate to the external API — proportionate to the described functionality. Note: the script also supports overriding the attachment output directory via INDUSTRY_STOCK_TRACKER_OUTPUT_DIR (checked in code) but this variable is not documented in the SKILL.md's environment table; it's a minor mismatch to surface.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills or global agent settings. It writes attachments to a local directory (cwd/miaoxiang/industry_stock_tracker by default) but otherwise does not request elevated privileges.
Assessment
This skill will send the user's query and the EM_API_KEY value to an external API (https://mx-saas-platform-test.eastmoney.com/...). If you install it: (1) treat EM_API_KEY as a secret — only provide a key scoped to this service; (2) be aware the skill writes decoded PDF/DOCX files to the agent's working directory (default: ./miaoxiang/industry_stock_tracker) — change the working dir or set INDUSTRY_STOCK_TRACKER_OUTPUT_DIR if you want files in a specific location; (3) the skill runs the script synchronously and returns the script's stdout JSON verbatim, including any message fields — don’t expect the skill to redact or transform content; (4) if you are concerned about data sent to the external service, review the API provider and consider using a key with limited scope. The only minor inconsistency: the code supports an output-dir env var (INDUSTRY_STOCK_TRACKER_OUTPUT_DIR) that is not documented in SKILL.md; confirm desired storage path before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ake3bzq7538g9qzbr94y8an843nn5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvEM_API_KEY

Comments