Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
虾皮个股舆情/公告/研报催化分析
v1.0.3个股舆情/公告/研报催化分析:基于 news 命令做信息收集、噪音过滤、信源分级与影响评分。触发词:个股舆情、公告解读、研报解读、消息面分析、新闻催化、利好利空。适用场景:用户希望评估某只A股近期新闻事件对股价和预期的影响。不适用场景:纯技术指标教学、无标的代码、非A股市场。
⭐ 0· 109·0 current·0 all-time
by三水清@ksky521
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's described purpose (collect sentiment/notice/report via a news API and produce a scored report) matches the runtime instructions that call daxiapi-cli's news commands. However, the package metadata declares no required binaries or credentials while the SKILL.md explicitly instructs the agent/user to run 'npx daxiapi-cli@latest' and to set/get a token. That token (and a runnable npx/npm environment) are operationally required — their omission from declared requirements is an incoherence.
Instruction Scope
Runtime instructions explicitly instruct running npx daxiapi-cli commands (network fetch + execution of remote npm package) and to configure a token via 'npx daxiapi-cli config set token'. The instructions do not ask for unrelated files or secrets, but they do direct the agent/user to access and mutate local CLI config/state via the external tool. The skill gives broad discretion to fetch 'latest' CLI code via npx, which will execute remote code on the host — expected for this task but not declared.
Install Mechanism
There is no formal install spec in the registry (instruction-only). However, the SKILL.md relies on npx to download and run daxiapi-cli@latest from the npm registry at runtime. Fetching/executing code via npx/npm is a moderate risk (remote code executed locally) and should be considered part of the install/runtime footprint even though no install block is declared.
Credentials
The skill requires a DAXIAPI token (the SKILL.md shows commands to get/set 'token'), but the registry metadata lists no required environment variables, primary credential, or config paths. Requiring a secret token for the external API is reasonable for this functionality, but failing to declare that credential and how/where it's stored is a proportionality and transparency problem. Additionally, the skill implies using npx/npm and the user's CLI config directory to persist the token.
Persistence & Privilege
The skill is not marked 'always:true' and contains no code that modifies other skills or global agent settings. It instructs the user/agent to configure a token in the daxiapi-cli config, which is local to that CLI, but the skill itself does not request persistent elevated privileges.
What to consider before installing
This skill appears to do what it says (scrape sentiment/announcements/reports via the daxiapi-cli and produce a scored report), but it omits important operational details. Before installing or running it: 1) confirm the origin and trustworthiness of 'daxiapi-cli' (is it an official vendor package?) — npx will fetch and execute its code; 2) understand where the token is stored (the SKILL.md uses 'npx daxiapi-cli config set token' which writes to the CLI config) and avoid pasting high‑privilege secrets unless you trust the package; 3) request the publisher to explicitly declare required binaries (node, npx), the credential type (DAXIAPI token) and any config paths; 4) optionally run the npx commands manually in a sandbox or inspect the daxiapi-cli npm package source before granting a token; and 5) if you cannot verify the daxiapi-cli package or the token provider, do not provide sensitive credentials and prefer running the data-collection steps yourself and feeding sanitized results to the skill.Like a lobster shell, security has layers — review code before you run it.
latestvk97ecrq9y92hkmv62gyg2baf7h84phtr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.