Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
CompanyInformation
v1.0.0企业舆情监测与风险预警技能。基于 FEEDAX API 查询特定上市公司的新闻资讯和舆情动态,支持情感分析(正面/负面/中性)、舆情热度评估、行业分类和关联公司识别。 使用场景:用户查询特定公司新闻、监测企业舆情风险、分析公司口碑、研究上市公司动态、追踪企业负面事件、评估投资风险、了解行业竞争格局等。 触发示例:...
⭐ 0· 45·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's code and SKILL.md clearly implement a FEEDAX API client and legitimately need an API key and network access to the FEEDAX endpoint. However the registry metadata declares no required environment variables or primary credential even though the SKILL.md and the included script require/accept FEEDAX_API_KEY (via env var, CLI arg, or config file). That metadata omission is an incoherence.
Instruction Scope
Instructions tell the agent/user to check and create a local .env, to 'tell me the API Key so I remember', and show examples of running the bundled script. They also hard-code an IP:port (221.6.15.90:18011) as the service host. Asking the user to paste the API key into chat is out-of-band for secret handling and increases risk; using a raw IP instead of a well-known domain is unusual and reduces transparency.
Install Mechanism
There is no install spec (instruction-only skill with a local Python script). No remote downloads or archive extraction are specified. The risk from installation actions is low, but the included script will perform outbound HTTP requests when run.
Credentials
The only sensitive credential used is the FEEDAX API key, which is appropriate for the skill's purpose. However the skill package/registry metadata did not declare this required env var or primary credential — a mismatch. Additionally the SKILL.md encourages providing the API key via chat, .env, env var, or config.json; asking users to paste secrets into chat is unnecessary and risky.
Persistence & Privilege
The skill is not marked always:true and does not request elevated system privileges. However SKILL.md explicitly asks the user to 'tell me API Key so I remember', implying the agent may persist the secret in conversation memory. Persisting secrets in the agent without explicit storage/credential handling guidance is a privacy/security concern.
What to consider before installing
Before installing or using this skill: (1) treat the FEEDAX API key as a secret — do NOT paste it into chat; prefer setting FEEDAX_API_KEY as an environment variable or in a local config file and run the provided script locally. (2) Note the registry metadata does NOT declare the required API key — this mismatch is suspicious; verify the publisher/source before trusting. (3) The skill calls an IP address (221.6.15.90:18011) rather than a domain; validate that endpoint (and feedax.cn) are legitimate for your organization. (4) Review the Python script locally to confirm it only sends the API key to the expected endpoint (it sends apiKey in query params and an x-api-key header — query params can be logged by proxies; prefer header-only if possible). (5) If you must test, use a scoped or expendable API key, and restrict outbound network access / logs while evaluating. (6) If you do not trust the source, run the script in an isolated environment or decline to install the skill into an agent that could persist secrets.Like a lobster shell, security has layers — review code before you run it.
latestvk971sebj1z0kgv4f7rkwbr65g5844563
License
MIT-0
Free to use, modify, and redistribute. No attribution required.