Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
A股市场全面复盘,整合指数表现、板块热力图、涨跌停、风格轮动、市场温度分析。触发词:市场复盘、今天市场怎么样、市场分析、每日复盘、市场概览。适用场景:对当日A股市场进行全面复盘、生成综合市场分析报告。不适用场景:个股深度分析、单一指标分析、债券/基金分析。
v1.0.0A股市场全面复盘,整合指数表现、板块热力图、涨跌停、风格轮动、市场温度分析。触发词:市场复盘、今天市场怎么样、市场分析、每日复盘、市场概览。适用场景:对当日A股市场进行全面复盘、生成综合市场分析报告。不适用场景:个股深度分析、单一指标分析、债券/基金分析。
⭐ 0· 57·0 current·0 all-time
by三水清@ksky521
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md behavior (calling daxiapi CLI endpoints like market/index, market/temp, sector heatmap) is coherent with a market‑review purpose. However the package metadata lists no required binaries or env vars while the instructions require npx (Node/npm) and a DAXIAPI_TOKEN — this mismatch is unexpected and should have been declared.
Instruction Scope
Runtime instructions tell the agent to run npx daxiapi-cli@latest ... commands and to configure an API token. These steps will (a) fetch and execute code from npm at runtime, (b) ask the user to obtain and store a DAXIAPI_TOKEN, and (c) run networked CLI calls. The instructions do not attempt to read unrelated files or secrets, but they give the agent broad discretion to fetch multiple endpoints and run arbitrary CLI invocations via npx.
Install Mechanism
There is no install spec, but the SKILL.md depends on 'npx daxiapi-cli@latest' which causes on‑demand downloads from the npm registry. That runtime download/execution is higher risk than a purely instruction‑only skill and should be declared. The SKILL.md also recommends configuring token via CLI or env var rather than providing a packaged installer — this silent reliance on remote code is notable.
Credentials
The skill requires an API token (DAXIAPI_TOKEN) according to the instructions, but the registry metadata declares no required environment variables or primary credential. Requesting an API token is reasonable for a data service, but the failure to declare it reduces transparency. The skill does not request unrelated credentials, but it does encourage storing a token in environment or CLI config which the user should consider scope/permissions for.
Persistence & Privilege
The skill is not marked always:true and doesn't request system config paths or other skills' configs. It does suggest storing the token in CLI config or an env var (normal for API clients) but does not request permanent elevated presence.
What to consider before installing
This skill appears to do what it claims: produce an A‑share market review using data from daxiapi. Before installing/use: (1) note the SKILL.md requires running 'npx daxiapi-cli@latest' which will download and run code from npm at runtime — only proceed if you trust the daxiapi package and npm source; (2) the skill asks you to obtain and store an API token (DAXIAPI_TOKEN) but the registry metadata did not declare this requirement — verify what token scopes/permissions you grant and avoid putting long‑lived secrets in shared shells; (3) ask the publisher or registry owner to declare required env vars and dependencies explicitly (npx/node, DAXIAPI_TOKEN) and to provide a trustworthy homepage or source. If you cannot verify daxiapi.com or the npm package, treat this as higher risk and avoid running the npx commands.Like a lobster shell, security has layers — review code before you run it.
latestvk9787y6r0zmsppfdq88x7s4dk984cjyy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.