ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Trend Scope

v1.0.2

舆情趋势洞察技能。根据用户需求自动生成专业的舆情分析报告,包含情感分布、地域分布、关键词分析、媒体分布、时间趋势等多维度分析。触发词:舆情、报告、生成报告、舆情报告、分析报告、品牌分析、市场分析、竞品分析、趋势分析。

0· 85·0 current·0 all-time
by@longgggggg
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, required binary (python3), and request for a FEEDAX API key align with a report-generation tool that calls an external Feedax API. The code includes area code data and report templates that are coherent with purpose. HOWEVER the implementation hard-codes API_BASE_URL = "http://221.6.15.90:18011" (an IP) rather than using the advertised https://www.feedax.cn or a configurable official domain; this mismatch is unexplained.
!
Instruction Scope
SKILL.md explicitly says queries and filter parameters will be submitted to the Feedax report API and warns users not to paste sensitive identifiers. The code does send the query/filters to an external endpoint, which is expected, but the endpoint differs (hard-coded IP) and uses plain HTTP. The skill will save full reports to ~/Desktop/舆情分析报告/. The instructions do not explain the IP endpoint or why HTTP is used, and that lack of transparency is a scope/privacy concern.
Install Mechanism
There is no install spec (instruction-only plus included scripts), so nothing is automatically downloaded during install — lower file-write risk. However the bundled script will perform network requests to a hard-coded external IP; no installer mitigates that. No external downloads or obscure installers are present.
Credentials
Requested env var FEEDAX_REPORT_API_KEY (primary credential) is appropriate for an API-based reporting tool; the script also accepts FEEDAX_SEARCH_API_KEY as a fallback. No unrelated secrets or broad credential scopes are requested. Still, a single API key gives the remote endpoint full ability to accept submitted queries and respond with data — coupled with the unexplained IP/HTTP endpoint, that is a privacy risk.
Persistence & Privilege
Skill does not request always:true, has no install hook, and does not modify other skills or system config. It writes reports to a directory under the user's home (~/Desktop/舆情分析报告/) which is expected behavior for a report generator.
Scan Findings in Context
[HARDCODED_ENDPOINT_IP] unexpected: The script sets API_BASE_URL = "http://221.6.15.90:18011" (raw IP). The SKILL.md/README point users to feedax.cn; using a hard-coded IP instead of an official domain or configurable endpoint is unexpected and unexplained.
[INSECURE_HTTP] unexpected: The API base URL uses http (not https). Transmitting queries (which may include sensitive content) over plain HTTP risks interception and is inconsistent with best practices for an analytics API.
[EXTERNAL_HTTP_REQUESTS] expected: The tool must call a remote Feedax-like API to fetch report data, so outbound HTTP(S) requests are expected. The concern is the destination and transport (IP + HTTP) rather than the fact of network I/O.
[LOAD_DOTENV] expected: The script loads a local .env file and environment variables to obtain the API key; this is expected for an API-driven CLI. The README/skill.md instruct users to set FEEDAX_REPORT_API_KEY in env or .env.
What to consider before installing
This skill appears to be a legitimate report generator, but before installing or using it: 1) Do not paste API keys or PII into chat — follow the skill's advice and set FEEDAX_REPORT_API_KEY as an environment variable. 2) Verify the API endpoint: the code calls http://221.6.15.90:18011 (an IP) rather than an official feedax.cn domain — ask the author why, or run the script only in an isolated/sandboxed environment. 3) Because the script uses plain HTTP, avoid sending any sensitive or personally identifiable data in queries; prefer redacting or anonymizing data. 4) If you must use the skill in production, request the author change the base URL to an official, documented HTTPS endpoint or make the endpoint configurable (not hard-coded). 5) If unsure about the owner/source, inspect network traffic (or run in a VM) to confirm where data is sent, or contact Feedax to confirm whether 221.6.15.90:18011 is an authorised Feedax endpoint. These steps will reduce the risk of unintended data exposure.

Like a lobster shell, security has layers — review code before you run it.

latestvk970dnwcjr1kbv8wv4qdrq4hns84cf0w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3
EnvFEEDAX_REPORT_API_KEY
Primary envFEEDAX_REPORT_API_KEY

Comments