Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Macro Monitor
v1.0.2每日宏观数据监控和推送。自动浏览免费数据源(Trading Economics、FRED、国家统计局、央行官网、财联社等),整理整合过去24小时发布的宏观数据和政策信息,并推送给用户。通过 cron 每天晚上10点自动触发。
⭐ 4· 2.1k·26 current·26 all-time
by@hmzo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (daily macro data monitoring and push) matches the instructions (use browser to visit listed public data sites, compile past-24h items, push results). No unrelated env vars, binaries, or installs are requested.
Instruction Scope
Instructions are narrowly scoped to browsing public macro data sites, cross-checking explanations, compiling a report, and pushing it. Two practical issues: (1) the SKILL.md uses an absolute path /home/hmzo/.openclaw/... to read references/indicators.md (this is likely intended to read the skill's local reference file but is user-specific and may fail or accidentally reference a different location on other hosts); (2) the 'push' step references a message tool but the example invocation is empty/missing, so it's unclear what target or channel will receive the report. These are implementation/robustness issues rather than malicious scope creep.
Install Mechanism
No install spec and no code files — instruction-only skill. This is the lowest-risk install mechanism (nothing is downloaded or written by an installer).
Credentials
The skill declares no environment variables, credentials, or config paths beyond reading its own references file. It only uses network access to public websites, which is consistent with its purpose.
Persistence & Privilege
always is false and the skill is user-invocable; autonomous invocation is allowed (default) but not combined with other red flags. Cron config is provided in the instructions, which is appropriate for a scheduled reporting skill.
Assessment
This skill appears to do what it claims (visit public macro data sites, compile a daily summary, and push it). Before enabling it automatically: 1) verify the 'read' path maps to the skill's local references file in your environment (the absolute path /home/hmzo/... may be incorrect or could point to an unexpected location); 2) confirm where the message tool will send reports (the example push invocation is missing) and that the destination is appropriate/authorized; 3) confirm you are comfortable with the agent's browser tool having network access to fetch and render third‑party pages (pages may contain dynamic scripts or require rate-limiting or respect robots.txt); 4) test a manual run to ensure the skill doesn't try to access other filesystem paths or prompt for credentials; and 5) ensure this scraping behavior complies with the terms of the target sites. If those checks are acceptable, the skill is coherent and proportionate to its stated purpose.Like a lobster shell, security has layers — review code before you run it.
latestvk970rwjmr8qkgyd66bw517c45h812amw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.