Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
虾皮市场宽度热力图
v1.0.2分析 A 股板块热力图,识别领涨、上升、反转行业。触发词:板块热力图、行业轮动、热门板块、领涨板块、板块分析、热力图。适用场景:分析板块热力图、识别热门行业、判断行业轮动。不适用场景:个股分析、指数分析、债券分析。
⭐ 0· 123·0 current·0 all-time
by三水清@ksky521
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's described purpose (heatmap / sector analysis) matches the runtime instructions (calls to the 'daxiapi' CLI and use of daxiapi.com data). However the registry metadata declares no required binaries or primary credential, yet the SKILL.md assumes the presence of the 'daxiapi' CLI and a daxiapi API token. The omission of the required CLI/token in metadata is an inconsistency (likely sloppy or incomplete packaging) and should be resolved before trusting the skill.
Instruction Scope
SKILL.md limits actions to: check/configure the daxiapi token, run three daxiapi commands (sector heatmap, sector gn, sector top), compute statistics and produce a report. It does not instruct the agent to read unrelated filesystem paths, access other services, or exfiltrate data to unexpected endpoints. The external endpoint implied is daxiapi.com (expected for this purpose).
Install Mechanism
This is an instruction-only skill with no install spec (lowest install risk). However, runtime depends on the third‑party 'daxiapi' CLI being present. Because the skill does not provide an install step or declare the binary requirement, an agent may fail at runtime or prompt user to install an external CLI—this is a usability and trust concern (not direct maliciousness).
Credentials
The skill requires a daxiapi API token in practice (SKILL.md shows config set/get flows), but the metadata lists no required environment variables or primary credential. The token will be handled via the daxiapi CLI config rather than a declared env var; that may be acceptable, but the metadata omission reduces transparency about credential usage and storage. Users should be aware a third‑party API key is needed and where it will be stored.
Persistence & Privilege
No special persistence or elevated privileges are requested. Flags show always:false and the skill does not claim to modify other skills or system settings. Autonomous invocation is allowed (platform default) but not combined here with broad or unexpected privileges.
What to consider before installing
This skill appears to do what it says and relies on the daxiapi service/CLI to fetch heatmap and leader-stock data. Before installing: (1) confirm you have or will install the official 'daxiapi' CLI from a trusted source; the skill's metadata currently does not declare this requirement; (2) understand you will need a daxiapi API token (the SKILL asks you to set it via daxiapi config), and that token will be stored/used by the daxiapi CLI—only provide a token you trust the service with; (3) verify daxiapi.com is the intended data provider and that you trust its privacy/security practices; (4) consider asking the skill author to update metadata to declare the required binary and the credential so the skill's footprint is transparent. The inconsistencies likely reflect packaging oversights rather than malicious intent, but the missing declarations reduce transparency and warrant caution.Like a lobster shell, security has layers — review code before you run it.
latestvk977gwfn5xgz10gahpkjr8719h84p6h8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.