Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
市场盘前概览简报
v1.0.3交易日开盘前(8:00-9:25)生成A股市场全景简报,整合市场结构、资金热度、风格轮动、板块强弱等信息,帮助把握当日投资主线。触发词:盘前简报、盘前分析、今日市场、开盘前瞻、市场主线、今日热点。适用场景:交易日开盘前快速了解市场全貌、投资决策参考、识别当日主线方向。不适用场景:非交易日、盘中实时分析、个股深度研究。
⭐ 0· 93·0 current·0 all-time
by三水清@ksky521
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description (A股盘前简报) align with the actions described: fetching market metrics and composing a structured report. However, the skill's runtime explicitly requires using the daxiapi CLI (npx daxiapi-cli@latest) and an API token, while the registry lists no required environment variables or primary credential. The token requirement is proportional to the stated purpose but is not declared in metadata, creating an inconsistency.
Instruction Scope
SKILL.md instructs the agent/operator to run multiple npx daxiapi-cli commands and to configure a persistent token (via CLI config or by setting DAXIAPI_TOKEN / shell rc). The instructions reference and write a local config path (~/.daxiapi/config.json) and recommend adding environment variables to shell startup files—actions that read/write user config and environment state beyond what the registry declares. The commands themselves stay within the stated data domain (market APIs) and do not exfiltrate to unrelated endpoints, but they do grant the CLI persistent access to the user's token.
Install Mechanism
The skill is instruction-only (no install spec), but runtime uses npx daxiapi-cli@latest which dynamically downloads and executes an npm package. npx/remote npm execution is moderate-risk: it fetches code from the public registry at runtime and executes it locally. The skill does not provide verification of the CLI package source or a pinned version, increasing risk if the npm package or its maintainer were compromised.
Credentials
Functionally, an API token is reasonable for calling daxiapi APIs. However the registry declares no required env vars/credentials while the SKILL.md and references instruct storing and using an API token (DAXIAPI_TOKEN and ~/.daxiapi/config.json). This mismatch (undeclared but required credential and config path) is a proportionality/visibility problem: the skill will ask for secrets and persist them but that critical requirement is not surfaced in the metadata.
Persistence & Privilege
The skill does not set always:true and does not ask to modify other skills. It does instruct persistent storage of a token (CLI config file and/or adding export to shell rc), making the token persist on the host. Persisting API credentials is expected for a client CLI but is an important security consideration: the token will remain on disk/environment and could be used by other processes if compromised.
What to consider before installing
What to consider before installing/using this skill:
- The skill's runtime requires a daxiapi API token and instructs using npx daxiapi-cli@latest; the registry metadata does not declare this credential—expect to provide and persist a token.
- npx will download and run code from the npm registry each time; verify the daxiapi-cli package origin and prefer pinned versions or review its source before executing (check npm page and upstream GitHub repository). Avoid running unknown 'latest' packages on sensitive machines.
- The token may be saved to ~/.daxiapi/config.json or added to your shell rc (persistent). If you proceed, create a dedicated, least-privileged token/account, do not reuse high-privilege credentials, and avoid storing secrets in shared accounts or repos.
- Consider running the CLI in an isolated environment (container, VM) or limiting network access, and inspect the CLI's configuration file after first use to confirm only expected data is stored.
- If you need metadata to match runtime requirements (recommended), ask the publisher to update the registry to declare the required credential (DAXIAPI_TOKEN) and to document/pin the CLI package source/version.
Confidence note: I am confident this skill is internally inconsistent (undeclared but required token; use of npx), so exercise caution. Additional information that would change the assessment: a declared required-env field listing the token, a pinned CLI package URL/version, or hosting/publisher provenance (official daxiapi.com package repository) would reduce concern.Like a lobster shell, security has layers — review code before you run it.
latestvk977b8vxsd7d5s2e60364ykdxh84q80k
License
MIT-0
Free to use, modify, and redistribute. No attribution required.