ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

虾皮A股涨跌停股分析

v1.0.2

分析A股涨跌停股票,识别热点板块和龙头股。触发词:涨停、跌停、炸板、涨跌停分析、涨停板、涨停股、跌停股、炸板股。适用场景:短线热点追踪、市场情绪判断、龙头股识别。不适用场景:个股深度分析、长线投资研究、技术指标详解。

0· 85·0 current·0 all-time
by三水清@ksky521
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Functionality (fetching zt/dt/zb data from daxiapi and aggregating by industry) matches the name/description and legitimately requires an API token. However, the skill registry metadata lists no required env vars/credentials while SKILL.md explicitly instructs setting DAXIAPI_TOKEN / configuring a token — an inconsistency between declared requirements and actual instructions.
!
Instruction Scope
SKILL.md instructs the agent/user to run npx daxiapi-cli@latest commands and to persist a token via the CLI or environment. That means the agent will download and execute remote code at runtime and will store/use a credential. The instructions do not ask to read unrelated local files, but running @latest without verification grants broad discretion to execute arbitrary package code.
!
Install Mechanism
There is no formal install spec, but the runtime workflow relies on npx daxiapi-cli@latest. Using npx with @latest pulls code from the public npm registry at runtime, which increases risk (unreviewed remote code execution). The skill provides no guidance to pin or verify the package or its provenance.
!
Credentials
Although the registry metadata declares no required env vars, the documentation requires a DAXIAPI_TOKEN and recommends persisting it (CLI config or .env). Requesting and storing a token is proportionate for this data service, but the metadata mismatch and lack of guidance on token scope/permissions and safe handling are concerning.
Persistence & Privilege
The skill does not request always:true and does not declare system-wide modifications. It suggests persisting a token via the CLI or .env (normal for API clients) but does not ask to change other skills or global agent settings.
What to consider before installing
This skill appears to do what it says (fetch and analyze limit‑up/down data) but has two red flags: (1) the SKILL.md tells you to run npx daxiapi-cli@latest which downloads and executes code from npm at runtime, and (2) it requires an API token (DAXIAPI_TOKEN) even though the metadata doesn't declare it. Before installing/use: verify the reputation of daxiapi/daxiapi-cli and the package maintainer; prefer pinning a specific package version instead of @latest; inspect the daxiapi-cli source (or run it in an isolated/sandbox environment) to ensure it does only the expected API calls; limit token permissions if possible and avoid committing it to repos; consider generating a dedicated, revocable token for this use. If you cannot verify the npm package or don't want to run remote code, do not install/use the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk972xf1r4sctaz6z4tnfrfkaqs84jn4n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments