Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Macro-Information
v1.0.1宏观资讯技能。基于全网信息查询国内外宏观经济相关新闻资讯, 支持情感分析(正面/负面/中性)、事件标签分类、热度分析和时间范围筛选。 使用场景:用户询问宏观经济形势、政策影响、经济数据(GDP/CPI/利率等)、央行政策(美联储/人民银行)、国际贸易、金融市场动态、通胀通缩、经济事件影响等话题时调用。 触发示例:...
⭐ 0· 50·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's declared registry metadata lists no required environment variables or primary credential, but both SKILL.md/README and the included script require an API key. That credential requirement is appropriate for a news-API skill, but the manifest omission is inconsistent. The SKILL.md/README reference FEEDAX (feedax.cn) while the script posts to a raw IP (http://221.6.15.90:18011), which is a mismatch worth verifying.
Instruction Scope
SKILL.md instructs the agent/user to cat a local .env file and to provide an API key, including a prompt that asks the user to tell the agent the API Key so it can “记住” (remember) it. Asking the agent to 'remember' a secret is scope creep and a privacy risk. The instructions also direct communication with an external service and recommend adding the API key into local files — both expected but should be handled securely.
Install Mechanism
There is no install spec (instruction-only), which is lower risk. The package includes a Python script (scripts/query_macro_information.py) that depends on 'requests' (README tells users to pip install requests) but dependencies are not declared in the registry metadata. No external downloads or archive extraction are present.
Credentials
Requiring an API key is proportionate for this purpose, but env-var usage is inconsistent: SKILL.md suggests FEEDAX_SEARCH_API_KEY in a .env file, README and script reference FEEDAX_API_KEY, and the registry says 'none'. The script sends the API key both as a query parameter and an 'x-api-key' header over plain HTTP to an IP address (no TLS), increasing risk of credential exposure in transit. SKILL.md also encourages verbally giving the key to the agent — unnecessary and risky.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or agent config. However, SKILL.md's instruction to 'tell me the API Key so I remember' implies the agent may retain a secret in its session memory; that is a user-behavior/privacy concern rather than a declared technical privilege of the skill itself.
What to consider before installing
This skill is plausibly what it says (queries a FEEDAX macro-news API) but has several red flags you should address before use: 1) Do NOT paste or say your API key aloud to the agent — prefer setting it as an environment variable or config file and keep it secret. 2) Confirm which env var the code expects (scripts/query_macro_information.py uses FEEDAX_API_KEY) and update SKILL.md/README accordingly. 3) Verify the endpoint: the documentation references feedax.cn, but the script posts to http://221.6.15.90:18011 (an IP) over plain HTTP; prefer HTTPS and a domain name you can verify. 4) Avoid sending keys in URL query parameters; if you must use this script, run it in an isolated environment (sandbox or dedicated VM), inspect network traffic, and check that the remote service is legitimate. 5) Ask the skill author to fix metadata (declare required env vars and dependencies) and to remove any instruction that tells users to reveal secrets to the agent. If you cannot verify the endpoint and provenance, treat the API key as sensitive and avoid installing/using this skill.Like a lobster shell, security has layers — review code before you run it.
latestvk97021k51ebzvwbmc5qcrzn465845p1z
License
MIT-0
Free to use, modify, and redistribute. No attribution required.