ClawHub

Cn Security Code Resolver Openclaw Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent and purpose-aligned; it mainly runs an included Python lookup script that sends security-name queries to Eastmoney’s public search API.

Before installing, confirm you are comfortable with the agent running the included Python script and sending queried security names to Eastmoney. Do not use it for confidential portfolio entries unless that external lookup is acceptable, and manually confirm ambiguous matches before relying on the returned code.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

The agent may run the included resolver script with the security names supplied for lookup.

Why it was flagged

The skill directs the agent to run a local Python helper script. This is central to the stated purpose and uses a fixed bundled path, but users should be aware that local command execution is part of the workflow.

Skill content
Run the bundled resolver script:

```bash
python3 skills/cn-security-code-resolver/scripts/resolve_cn_security.py "中国海油"
```
Recommendation

Use it for intended security-name lookups, and review the included script if local command execution is a concern.

#
ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

The skill may not work in an environment without Python 3, despite the metadata not declaring that requirement.

Why it was flagged

The workflow depends on Python, while the registry metadata lists no required binaries. This is an under-declared runtime requirement, not evidence of hidden or malicious behavior.

Skill content
python3 skills/cn-security-code-resolver/scripts/resolve_cn_security.py "中国海油"
Recommendation

Install or verify Python 3 before use; maintainers should declare Python as a required binary.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

Security names, portfolio/watchlist entries, or other lookup terms may be shared with Eastmoney during resolution.

Why it was flagged

The script sends each user-supplied query string to Eastmoney’s public suggest API. This is disclosed and purpose-aligned, but it means queried security names or watchlist entries leave the local environment.

Skill content
API = "https://searchapi.eastmoney.com/api/suggest/get"
...
params = {
    "input": query,
    "type": "14",
    "token": TOKEN,
}
Recommendation

Avoid using the skill with confidential portfolio data if you do not want those lookup terms sent to Eastmoney.