Finance Data Scraper
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill is broadly about finance scraping, but its included code hardcodes a NocoDB API token/destination and can repeatedly close unrelated browser tabs.
Review the scripts before installing. Remove the hardcoded NocoDB URL/token/table, configure your own credentials, and do not enable the tab-cleanup cron unless it is limited to scraper-owned tabs and you are comfortable with recurring browser tab closures.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the importer may use an embedded credential and write scraped records to an unintended third-party NocoDB database.
The import script embeds a specific NocoDB endpoint, API token, and table ID instead of reading the user-provided NocoDB configuration described by the skill.
BASE_URL = "https://nocodb.dixchain.com/api/v2" TOKEN = "TNejcEzKlX92OU0..." TABLE_ID = "m2w6ubg16mcn33m"
Do not run the importer until the hardcoded token is removed or rotated, credentials are loaded from your own config or environment, and the destination table is confirmed before upload.
If run, it could close unrelated browser tabs and potentially lose unsaved work or disrupt other browsing sessions.
The cleanup script closes all browser tabs that are not Eastmoney tabs, rather than limiting itself to tabs opened by this skill.
other_tabs = [tab for tab in tabs if not is_eastmoney_tab(tab)] ... tabs_to_close.extend(other_tabs) ... ["openclaw", "browser", "close", tab_id]
Restrict cleanup to tabs/windows created by the scraper, add a dry-run or confirmation mode, and avoid using it on a personal browser profile.
Browser tabs may be closed repeatedly in the background without a visible notice at each run.
The provided cron configuration would run the tab-closing task twice per hour without announcements if the user adopts it.
"cron": "20,50 * * * *", "message": "执行Chrome浏览器Tab清理任务...", "announce": false
Keep scheduled cleanup opt-in, enable announcements, and require explicit approval or stricter scope before recurring tab-closing actions.
The registry view understates what the skill needs, making it harder to review credential and runtime behavior before use.
The registry metadata says no credentials are required, while the skill documentation and code involve NocoDB credentials and browser-control scripts.
Required env vars: none Env var declarations: none Primary credential: none
Declare the NocoDB credential/config requirements and browser-control dependency in metadata, even if users provide them manually.