Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
虾皮市场热股分析
v1.0.2分析A股热门强势股票,筛选当日涨幅>7%且IBS>50的领涨股,按板块分组识别热点题材。触发词:热门股票、领涨股、强势股、涨幅榜、热点股票、板块领涨。适用场景:短线热点追踪、强势股挖掘、热点题材识别。不适用场景:个股深度分析、长线投资研究、技术指标详解。
⭐ 0· 84·0 current·0 all-time
by三水清@ksky521
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description match the instructions: it uses the daxiapi CLI to fetch 'sector top' and 'sector gn' data and performs concept/sector frequency analysis. However, the SKILL.md assumes availability of Node.js/npx and the npx-da xiapi-cli tool but the skill metadata does not declare required binaries or the primary credential; that mismatch (expectation of npx/node but none listed) should be noted.
Instruction Scope
Instructions are narrowly scoped to fetching data via 'npx daxiapi-cli@latest' commands, preprocessing the returned JSON, and producing a structured report. The SKILL.md does not instruct reading unrelated system files. It does instruct configuring and persisting an API token (via the CLI config or environment variables), which means the agent will interact with local config files if the user follows the CLI path.
Install Mechanism
This is an instruction-only skill that asks the agent/user to run 'npx daxiapi-cli@latest' which will dynamically fetch and execute code from the npm registry at runtime. That is a moderate-to-high supply-chain risk unless the daxiapi-cli package and its publisher are verified. The skill offers no pinned package version, no homepage, and the Source/Homepage metadata are missing, reducing provenance.
Credentials
The skill does not declare required env vars in metadata, but the docs explicitly describe using a persisted CLI token or the DAXIAPI_TOKEN environment variable. Requesting an API token is proportional to the purpose, but users should be aware the token may be stored in a local CLI config file (persisted) if they use the recommended CLI config flow.
Persistence & Privilege
The skill does not request 'always:true' and is user-invocable only. The only persistence implied is the daxiapi-cli's own config storage of the API token (local to the machine) if the user runs 'config set token'. The skill itself does not attempt to modify other skills or system-wide settings.
What to consider before installing
This skill appears to do what it says (fetch daxiapi data and analyze hot A-share stocks) but has a few practical risks to evaluate before installing/using:
- Verify provenance of 'daxiapi-cli' and of daxiapi.com (no homepage/source listed in metadata). An attacker-controlled CLI package could exfiltrate tokens or run arbitrary code.
- Avoid running 'npx ...@latest' on sensitive machines; prefer a pinned package version (e.g., @1.2.3) and audit the package source on npm/GitHub first.
- The SKILL.md recommends 'npx daxiapi-cli config set token' which will persist your API token in a local config file; if you must use a token, prefer setting DAXIAPI_TOKEN in a controlled environment or a short-lived token and avoid committing config files to repos.
- Ensure Node.js/npx are available and that you trust network access to daxiapi.com.
If you want to proceed safely: (1) confirm the official CLI repository and publisher, (2) inspect the daxiapi-cli package code or use a pinned, audited release, (3) use environment-variable-based tokens or ephemeral credentials, and (4) avoid running on systems containing other sensitive credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk9714r0eefwh9g7d9h4bh20dg584k45a
License
MIT-0
Free to use, modify, and redistribute. No attribution required.