Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
MyCompanyDueDiligence
v1.0.1企业尽职调查自动化工具。基于 Playwright/agent-browser 实现多数据源自动抓取,支持企查查、天眼查、东方财富、中国裁判文书网四个网站的综合信息抓取,生成专业尽调报告(含截图+Markdown+PDF)。
⭐ 0· 77·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the included Playwright scraping scripts (query_*.py, generate_report.py). However the skill declares no required credentials/env vars while shipping a session/ directory containing multiple saved session and cookie JSON files (qcc_cookies.json, tianyancha_cookies.json, eastmoney_cookies.json, tyc-auth.json, etc.). Bundling third‑party login sessions is disproportionate to the stated metadata (which lists no credentials) and introduces sensitive artifacts that don't belong in a published skill.
Instruction Scope
SKILL.md instructs running Playwright/agent-browser and saving/loading browser state; that aligns with functionality. Problems: it uses hard-coded absolute paths referencing a specific user (/Users/sunguangning/...), and the repo already contains saved session files. The runtime instructions do not warn about using included session files; scripts could restore those sessions automatically. The instructions otherwise stay within the stated scraping/reporting scope and do not explicitly direct data to unknown external endpoints.
Install Mechanism
No install spec is provided (instruction-only install), which reduces supply-chain risk. A requirements.txt is included listing Playwright and other Python libs. No downloads from unknown URLs or archive extraction are present in metadata. Because code files are bundled, user must install Python deps and Playwright separately per README — expected but worth noting.
Credentials
The skill requests no environment variables yet requires logins to multiple paid services per SKILL.md; instead of declaring required credentials it ships session/cookie JSON files. This is mismatched and risky: those session files can contain active authentication tokens for third‑party sites. Also the repo references absolute filesystem locations for reports/data which may override user files if used as-is.
Persistence & Privilege
always:false and no platform-wide privileges requested. However the skill persists and reuses browser sessions stored under its session/ directory, meaning it can re-use whoever's credentials are in those files. That is a confidentiality/privacy concern (persistent embedded credentials), not a platform-privilege escalation.
What to consider before installing
This package implements the advertised Playwright scraper and report generator, but it ships with saved browser sessions and cookie files (session/*.json, session/*cookies.json, tyc-auth.json) and references absolute paths under /Users/sunguangning/.... Those session files may contain active authentication tokens for paid services (企查查/天眼查/裁判文书网/eastmoney). Before installing/running: 1) Inspect and remove the session/ directory (do not use bundled session files). 2) Search the code for any hard-coded absolute paths and adjust to safe relative or configurable paths. 3) Review setup_credentials.py and any code that loads session JSON to ensure it won't automatically reuse credentials or upload them to external servers. 4) Run the skill in an isolated environment (throwaway VM or container) and create your own login sessions by following the documented manual login steps. 5) If you rely on paid APIs, prefer official API keys and declare them as env vars rather than reusing scraped sessions. 6) Consider legal and ToS implications of automated scraping for each target site. If you want higher assurance, ask the publisher for provenance (who maintains it) or for a version with the session files removed; absence of a homepage/author increases risk.Like a lobster shell, security has layers — review code before you run it.
latestvk974pesazyxqjpq4r7039k07t583fte7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.