ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

A-Share Global Peer

v1.0.2

Find global peer companies for A-share listed companies. Input an A-share company name or code, automatically match overseas listed companies (US, Europe, Ja...

1· 39·0 current·0 all-time
by@laigen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with included files: SKILL.md describes web_search + exec to run a Python helper and a reference table; the bundled script fetches company info (Tushare optional) and the reference file lists global leaders. Required tools (web_search, exec) and optional finance skills are proportional to the stated purpose.
Instruction Scope
SKILL.md instructions are scoped to searching and composing comparison reports. The runtime steps instruct using web_search and running scripts; they do not instruct reading unrelated local files or exfiltrating secrets. One caveat: the SKILL.md references iFinD and other skills for higher-quality data—you should confirm what those skills do when invoked (they could request additional permissions/credentials).
Install Mechanism
Instruction-only with one small Python helper file and no install spec. No remote downloads or installers; lowest install risk. The script optionally relies on the tushare Python package but falls back to recommending web search queries.
!
Credentials
SKILL.md lists two optional env vars (TUSHARE_TOKEN and BRAVE_API_KEY). The bundled script only reads TUSHARE_TOKEN; it does not reference BRAVE_API_KEY. Registry metadata shows required env entries as '[object Object]' which is a serialization/metadata bug and could cause the platform to surface env variables incorrectly. Overall the number and type of env vars are reasonable for the task, but the metadata mismatch and an advertised-but-unused BRAVE_API_KEY are inconsistencies that should be fixed/verified before use.
Persistence & Privilege
always is false; skill is user-invocable and allows normal autonomous invocation. It does not request persistent system-level privileges or attempt to modify other skills' config. No indicators it writes outside its own files.
Scan Findings in Context
[registry_env_parsing] unexpected: Registry metadata listed 'Required env vars' as '[object Object]' (likely a serialization bug). This is not expected for a well-formed skill manifest and could cause incorrect handling of environment variables by the platform.
[unused_env_var_BRAVE_API_KEY] unexpected: SKILL.md declares BRAVE_API_KEY as an optional env var for search enhancements, but the included Python script does not read BRAVE_API_KEY. That mismatch is not malicious by itself but is an incoherence to resolve.
What to consider before installing
This skill appears to implement its stated purpose, but there are minor inconsistencies you should check before enabling it: 1) The registry metadata shows environment entries as '[object Object]' — ask the publisher or registry maintainer to fix the manifest so the platform won't incorrectly request or expose env variables. 2) Confirm how the web_search tool will run in your environment and whether it relies on BRAVE_API_KEY or other search credentials (the bundled script doesn't use BRAVE_API_KEY, but the skill mentions it). 3) If you plan to supply a TUSHARE_TOKEN, ensure you trust Tushare usage; the token is optional and the skill can work with web search fallback. 4) Review the behaviors of any referenced optional skills (ifind-finance-data, tushare-data, akshare-stock) because those can increase the blast radius by requesting additional permissions or credentials. If you need higher assurance, request a corrected manifest (env vars fixed) and ask the publisher to remove or document any unused environment variables.

Like a lobster shell, security has layers — review code before you run it.

a-sharevk9787e08p7yxse6kkm48scez1d84vadsbenchmarkvk9787e08p7yxse6kkm48scez1d84vadschina-marketvk9787e08p7yxse6kkm48scez1d84vadscompany-comparisonvk9787e08p7yxse6kkm48scez1d84vadsfinancial-analysisvk9787e08p7yxse6kkm48scez1d84vadsglobal-leadersvk9787e08p7yxse6kkm48scez1d84vadslatestvk9787e08p7yxse6kkm48scez1d84vadsmarket-sharevk9787e08p7yxse6kkm48scez1d84vadspeer-analysisvk9787e08p7yxse6kkm48scez1d84vads

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Env[object Object], [object Object]

Comments