Finance Data Scraper
PassAudited by VirusTotal on May 7, 2026.
Overview
Type: OpenClaw Skill Name: finance-data-scraper Version: 1.0.1 The skill bundle contains a hardcoded NocoDB API token and a specific backend URL (nocodb.dixchain.com) in 'scripts/import_to_nocodb.py', which constitutes a significant security vulnerability and credential leak. Additionally, 'scripts/cleanup_tabs.py' performs aggressive browser management by closing all tabs that do not match a specific finance domain, potentially causing user data loss. While these behaviors are somewhat aligned with the stated purpose of the scraper, the inclusion of active credentials and intrusive browser control warrants a suspicious classification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the importer may use an embedded credential and write scraped records to an unintended third-party NocoDB database.
The import script embeds a specific NocoDB endpoint, API token, and table ID instead of reading the user-provided NocoDB configuration described by the skill.
BASE_URL = "https://nocodb.dixchain.com/api/v2" TOKEN = "TNejcEzKlX92OU0..." TABLE_ID = "m2w6ubg16mcn33m"
Do not run the importer until the hardcoded token is removed or rotated, credentials are loaded from your own config or environment, and the destination table is confirmed before upload.
If run, it could close unrelated browser tabs and potentially lose unsaved work or disrupt other browsing sessions.
The cleanup script closes all browser tabs that are not Eastmoney tabs, rather than limiting itself to tabs opened by this skill.
other_tabs = [tab for tab in tabs if not is_eastmoney_tab(tab)] ... tabs_to_close.extend(other_tabs) ... ["openclaw", "browser", "close", tab_id]
Restrict cleanup to tabs/windows created by the scraper, add a dry-run or confirmation mode, and avoid using it on a personal browser profile.
Browser tabs may be closed repeatedly in the background without a visible notice at each run.
The provided cron configuration would run the tab-closing task twice per hour without announcements if the user adopts it.
"cron": "20,50 * * * *", "message": "执行Chrome浏览器Tab清理任务...", "announce": false
Keep scheduled cleanup opt-in, enable announcements, and require explicit approval or stricter scope before recurring tab-closing actions.
The registry view understates what the skill needs, making it harder to review credential and runtime behavior before use.
The registry metadata says no credentials are required, while the skill documentation and code involve NocoDB credentials and browser-control scripts.
Required env vars: none Env var declarations: none Primary credential: none
Declare the NocoDB credential/config requirements and browser-control dependency in metadata, even if users provide them manually.