Macro-Driver-Pro: 宏观晴雨表

Security checks across malware telemetry and agentic risk

Overview

The skill appears to provide the macro-financial data it advertises, but it should be reviewed because automated calls can trigger SkillPay billing through a user identifier without clear execution-time controls.

Before installing, confirm that your OpenClaw or SkillPay setup enforces per-call approval, budget limits, and loop protection. Avoid sending extra personal or account data in the request payload, and do not let automated workflows call this endpoint repeatedly without a spending cap.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly states that invoking it with a user_id will automatically trigger micro-billing, but it does not describe any explicit user consent, confirmation step, or notice at execution time. This creates a real risk of unintended charges, especially when the skill is invoked by an agent or automation workflow where the end user may not realize that providing the parameter authorizes payment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal