ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Oil Price Monitor

v1.1.0

Monitor NDRC (National Development and Reform Commission) website for oil price adjustment announcements. Searches news releases every 10 working days at 17:...

0· 64·1 current·1 all-time
by@manucode2000-max
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the implementation: it scrapes the NDRC site, parses HTML, computes workday windows (via chinese-workdays) and formats output for OpenClaw to forward to Feishu. That part is coherent. However the package inserts the workspace parent directory into sys.path (in __init__.py and oil_price_monitor.py), which grants the skill the ability to import arbitrary sibling skill modules from the workspace (broader access than strictly required). Also the use of a subprocess to call an external 'multi-search-engine' via an inline python -c is heavier than the simple scrape/parse task and may be disproportionate.
!
Instruction Scope
SKILL.md instructs only scraping NDRC, window calculation, and pushing output to OpenClaw stdout — reasonable scope. The runtime code additionally (a) modifies sys.path to include the workspace root, allowing imports of other local modules; (b) invokes subprocess.run to execute inline Python intended to call a 'multi-search-engine' or other utilities. Those runtime behaviors can access arbitrary local modules and the runtime environment beyond the minimal scraping/parse/format pipeline described in SKILL.md.
Install Mechanism
There is no install spec (instruction-only install), only a requirements.txt listing standard libraries (requests, beautifulsoup4, lxml). No remote downloads, no obscure package sources, and nothing is written to nonstandard system locations. This is low risk from an install-vector perspective.
Credentials
The skill requests no environment variables or credentials, and the documented push to Feishu relies on OpenClaw capturing stdout instead of embedding webhooks/tokens — this reduces credential exposure. However, the sys.path adjustments and subprocess execution mean the code could import or execute other local modules that themselves access secrets or environment variables, so the effective reach is broader than the declared requirements suggest.
Persistence & Privilege
The skill is not force-included (always: false) and does not declare changes to other skills' configurations. It writes a local cache file under its own data/ directory (windows_cache.json), which is normal state for this functionality.
What to consider before installing
This skill appears to do what it says (scrape NDRC and report price announcements), but there are a few things to check before installing: (1) Review the full oil_price_monitor.py for any subprocess.run calls that execute dynamic code — inline python -c can run arbitrary code and should be audited. (2) The package inserts the workspace parent into sys.path, which allows importing other local skill modules; confirm you trust other code in the same workspace because this skill could import and execute it. (3) Confirm how Feishu delivery is performed in your OpenClaw setup — make sure sensitive webhooks or tokens are not embedded or implicitly exposed. (4) Test the skill in an isolated environment (or sandbox) first, and consider running it with limited filesystem permissions. If you want higher assurance, ask the author to remove workspace-wide sys.path modifications and replace subprocess-based search calls with explicit, well-audited library calls or an injectable, whitelisted search utility.

Like a lobster shell, security has layers — review code before you run it.

chinavk970b422y5j36wwngs9q6h7sfh83hq72energyvk970b422y5j36wwngs9q6h7sfh83hq72latestvk970b422y5j36wwngs9q6h7sfh83hq72monitorvk970b422y5j36wwngs9q6h7sfh83hq72ndrcvk970b422y5j36wwngs9q6h7sfh83hq72oilvk970b422y5j36wwngs9q6h7sfh83hq72optimizedvk970b422y5j36wwngs9q6h7sfh83hq72pricevk970b422y5j36wwngs9q6h7sfh83hq72v2vk970b422y5j36wwngs9q6h7sfh83hq72

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments