Amber Electric 的实时电价、预测电价及站点信息

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: read Amber Electric site and pricing data using the user's Amber API key.

Install only if you are comfortable configuring an Amber API key so OpenClaw can read your Amber site identifiers and electricity pricing data. Verify the publisher/source if provenance matters to you, because the package metadata has a minor version mismatch and no strong source link.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill sends authenticated requests to Amber's external API using an account-linked bearer token and user-supplied site identifiers, but the skill description and interface do not clearly disclose that account data will be transmitted to a third-party service. This creates a privacy and transparency issue because users may expose site metadata and pricing information without an explicit warning or consent step.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal