Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
专业行业研究报告生成器
v1.0.0生成行业深度研究报告。当用户的请求中包含行业关键词、行业名称,并且意图是了解某个行业、生成行业研究报告、行业分析时,触发此 Skill。 典型触发场景包括但不限于:用户提到"XX行业研究"、"XX行业报告"、"帮我分析XX行业"、"XX产业深度研究"、"XX领域市场分析"等。 即使用户没有明确说"报告"二字,只要...
⭐ 0· 85·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name and description match the instructions: producing industry research reports with charts and DOCX/PDF outputs. However, the SKILL.md assumes the runtime has Python, matplotlib, python-docx, CJK fonts, and a DOCX→PDF converter available. The skill metadata declares no required binaries, packages, or install steps — that's an inconsistency (missing declared dependencies).
Instruction Scope
Instructions direct the agent to perform web research, save research artifacts to workspace paths, generate charts, and create DOCX/PDF files. That scope is appropriate for report generation. Two behavioral items to note: (1) the skill forces 'ONLY output is files (DOCX+PDF), never direct answers', which may be surprising or undesired in interactive contexts; (2) the spec requires web searches and full-URL citations but gives no guidance on which network endpoints are allowed or how to handle paywalled/proprietary sources. The workflow itself is explicit and not overly broad, but these operational gaps matter.
Install Mechanism
This is an instruction-only skill (no install spec), which is low-risk generally, but the instructions mandate use of specific Python libraries (matplotlib, python-docx), CJK font configuration, and DOCX→PDF conversion. Because no install or dependency declaration is provided, the skill may fail or attempt to run unsupported operations in environments lacking those components. Lack of an install mechanism is an operational/incoherence risk rather than direct malware risk.
Credentials
The skill requests no environment variables or credentials, which on the surface is good. However, the SKILL.md expects access to Tier 2 data providers (Bloomberg, Refinitiv, FactSet, etc.) for verification without specifying credentials or how to access paid APIs. That is a mismatch: the instructions assume access to external, sometimes-paid services but declare no credentials or guidance. Also, the agent will perform web searches and save potentially sensitive workspace files — users should be aware of what data will be written.
Persistence & Privilege
No elevated persistence or "always" inclusion is requested. The skill is user-invocable and allows autonomous invocation by default (normal). It does not request modifying other skills or system-wide settings.
What to consider before installing
This skill appears to do what it says (create in-depth industry reports with charts and DOCX/PDF), but it assumes runtime capabilities that are not declared. Before installing or enabling it: 1) Confirm the agent environment has Python, matplotlib, python-docx (or provide an install spec), required CJK fonts, and a reliable DOCX→PDF conversion tool. 2) Decide whether you want the agent to perform live web searches and save research files to the workspace (docs/ and data/); restrict workspace access if needed. 3) If you expect use of paid data providers (Bloomberg, FactSet, etc.), require explicit credential handling or remove those sources from the 'required' verification list. 4) Be aware the skill mandates not replying in chat and only producing files — if you need conversational answers, ask the author to relax that rule. 5) Ask the publisher to add a clear dependency/install section and to document which network endpoints and credentials (if any) the skill will use. If those gaps are not addressed, treat the skill cautiously and test it in a sandbox with non-sensitive data.Like a lobster shell, security has layers — review code before you run it.
latestvk977txbdwz6x2v6z58p8wbbjss83zxye
License
MIT-0
Free to use, modify, and redistribute. No attribution required.