Stock Heat Rank
AdvisoryAudited by VirusTotal on Mar 21, 2026.
Overview
Type: OpenClaw Skill Name: stock-heat-rank Version: 1.0.3 The skill bundle contains a heavily obfuscated JavaScript file (`lib/hexin_v.js`) which is required for generating API signatures. While the documentation claims this is extracted from official frontend code to bypass anti-scraping measures, the high level of obfuscation makes it impossible to verify if it contains hidden malicious logic. Furthermore, `main.go` uses `os/exec` to run this script via Node.js, which is a risky pattern. Although the behavior aligns with the stated purpose of scraping stock data, the presence of a large 'black box' execution payload is a significant security risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user would be running hard-to-review third-party JavaScript as part of a stock-ranking query.
The runnable helper uses obfuscation-style variable names, string tables, and decoder/control-flow patterns. Because this large helper is sourced as extracted frontend code and is executed locally, its provenance and behavior are harder to audit.
var a0_0x4f9ee0=a0_0x45b5;(function(_0x2d51df,_0xd5e931){...while(!![]){try{...}}}(a0_0xe51c,0xa810e)); ... function a0_0xe51c(){var _0x2ddd40=[...]Use only if you trust the publisher and helper provenance. Prefer an audited, minimal signer implementation, include source/version provenance and hashes, and keep a reviewed copy of the helper.
Users may believe the helper is straightforward bundled code when it is actually difficult to review.
This assurance conflicts with the obfuscation patterns visible in the provided lib/hexin_v.js artifact. That mismatch could cause users to over-trust code that is difficult to inspect.
代码经过压缩(非混淆)... / Code is minified (not obfuscated), standard frontend bundling format
Correct the documentation to disclose the helper’s obfuscated/minified nature and provide verification guidance, source provenance, and checksums.
If the expected helper is missing or the working directory contains an unintended replacement, the skill could execute a different local JavaScript file.
The Go program automatically executes the JavaScript helper with Node, and if the helper is not found beside the executable it falls back to a relative lib/hexin_v.js path.
jsPath := filepath.Join(exeDir, "lib", "hexin_v.js") ... jsPath, _ = filepath.Abs("lib/hexin_v.js") ... cmd := exec.Command("node", c.jsPath, timestamp)Bundle the helper beside the executable, verify its checksum before execution, avoid current-directory fallback, and run the skill only from a trusted directory.
A future install may fetch dependency versions different from those the author tested.
The skill asks users to run npm install for purpose-aligned JavaScript dependencies, but the semver ranges allow newer dependency versions and no lockfile is provided in the manifest.
"dependencies": { "jsdom": "^24.0.0", "canvas": "^2.11.2" }Pin dependencies with a lockfile and install from a trusted package registry.
The skill may interact with third-party services in ways that can be blocked or may conflict with those services’ access rules.
The skill openly uses a signature helper to access Wencai data through anti-scraping checks. This is aligned with the data-collection purpose but is a behavior users should understand.
用于通过其API的反爬验证 / used to pass anti-scraping verification
Confirm that this data access is acceptable for your use case and be prepared for the provider to block or change the API.