ClawHub
Back to skill
v1.0.0

实时财经

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:58 AM.

Analysis

The main finance-news API fetcher looks purpose-aligned, but the package also includes an under-disclosed browser-scraping helper that can attach to a local browser session.

GuidanceReview this skill before installing. The primary fetch_api.js script appears to fetch public Sina Finance news and store it locally, but avoid running fetch_and_save.js unless you explicitly want browser-based scraping and understand the local browser-session access. Also only configure the 5-minute cron polling if you want continuous background updates.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Rogue Agents
SeverityLowConfidenceHighStatusNote
SKILL.md
使用 cron 每5分钟执行一次:

cd ~/.openclaw/workspace/skills/实时财经 && node fetch_api.js

The skill describes recurring execution every five minutes. This is consistent with its real-time news purpose, but it is still ongoing background behavior that users should knowingly enable.

User impactThe skill may repeatedly contact the Sina Finance API and update local news/state files if the cron workflow is configured.
RecommendationOnly enable the scheduled polling if you want continuous updates, and disable the cron job when you no longer need it.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceMediumStatusNote
fetch_and_save.js
const puppeteer = require('puppeteer');

An included helper depends on Puppeteer even though the registry declares no required binaries or install spec and SKILL.md presents the main workflow as API-only. This is an undeclared auxiliary dependency rather than direct malicious behavior.

User impactUsers or agents may be surprised by a helper that needs an extra browser-automation package and broader local browser access than the documented API path.
RecommendationDeclare all runtimes and dependencies, or remove the unused Puppeteer helper from the skill package.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusConcern
fetch_and_save.js
const browser = await puppeteer.connect({ browserURL: 'http://localhost:9222' });
const pages = await browser.pages();
const page = pages.find(p => p.url().includes('finance.sina.com.cn/7x24')) || pages[0];

This included helper can attach to an existing local browser debugging session and falls back to the first open tab if the expected Sina Finance page is not found. That browser/session access is broader than the documented API-only public-news workflow.

User impactIf this helper is run while a debug-enabled browser is open, it could read page content from the user's active browser context instead of only fetching public API news.
RecommendationUse the API script only, or remove/disable the Puppeteer helper. If browser scraping is needed, document it clearly, require explicit user approval, and restrict it to the intended Sina Finance URL without a first-tab fallback.