Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
clawCat-BRIEF
v0.7.0生成结构化行业简报,自动抓取多源数据,涵盖科技新闻、财经行情、技术周报与竞品分析,支持HTML/PDF/JSON输出。
⭐ 0· 87·0 current·0 all-time
by@llx9826
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (industry brief generator) matches the repository contents: many adapters for news, search, GitHub, arXiv, HuggingFace, AKShare, etc., plus pipeline nodes for fetch/dedup/summarize/render. Adapters and pipelines are proportionate to producing structured briefs.
Instruction Scope
SKILL.md instructs the agent to automatically select and fetch from many public web sources (search engines, news sites, social media, GitHub, arXiv). That is expected for this skill, but it does grant network access to many third‑party endpoints; the instructions do not ask to read local secrets or unrelated system files. The README notes PDF output requires Playwright (extra system dependency).
Install Mechanism
There is no install spec (instruction-only skill), lowering install risk. The repo includes many Python modules and a requirements.txt, so running the skill will require installing third-party Python packages (httpx, feedparser, ddgs/baidusearch, akshare, etc.) and possibly Playwright. Lack of an automatic installer means dependencies must be installed manually by the environment running the skill.
Credentials
Skill metadata declares no required env vars or credentials. The code supports optional tokens (e.g., github_token in GitHub adapter config) and calls LLMs (via internal llm code) — these rely on the host/agent to provide model credentials. No unexpected external secret requests are present in the repository itself. Review config.yaml before use to ensure no webhook/endpoint secrets are embedded.
Persistence & Privilege
always:false and no evidence the skill modifies other skills or system-wide agent settings. It is user-invocable and can run autonomously per platform default; that is expected for this kind of skill.
Scan Findings in Context
[base64-block] expected: The repository contains a large base64-encoded logo file (clawcat/static/luna_logo_b64.txt). A base64 block was flagged by the scanner but this appears to be an embedded static asset (logo), not prompt-injection or code obfuscation.
Assessment
This skill appears to do what it says: it gathers public web sources and assembles structured briefs. Before installing, consider: 1) Network access — the skill will make many outgoing HTTP requests (news sites, GitHub, arXiv, HuggingFace, Weibo, feed parsers). Ensure you’re comfortable allowing those connections. 2) Dependencies — running it requires installing multiple Python packages (and Playwright for PDF), which may need system-level setup. 3) Credentials — no required env vars are declared, but optional tokens (e.g., GitHub token) can be configured; verify config.yaml for any embedded endpoints/secrets. 4) Privacy — the skill will fetch and aggregate public content; avoid feeding it sensitive internal queries unless you trust where outputs will be stored. If you want extra assurance, inspect requirements.txt, config.yaml, and the llm integration file (clawcat/llm.py) to confirm how LLM calls are made and whether any external endpoints beyond the listed data sources are contacted.clawcat/adapters/registry.json:180
Install source points to URL shortener or raw IP.
config.yaml:22
Install source points to URL shortener or raw IP.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
briefvk977sc7kj59jj56ep7xz23zfhn83saqvlanggraphvk977sc7kj59jj56ep7xz23zfhn83saqvlatestvk97273ygskqxp92jfmymrk7q9583v5d1llmvk977sc7kj59jj56ep7xz23zfhn83saqvreportvk977sc7kj59jj56ep7xz23zfhn83saqv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.