ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

csmar-agent

v1.0.0

访问csmar公司提供的财报相关接口,当用户查询A股公司财报信息时使用,输出内容不添加最终总结文本,提示词财务,@csmar_agent,@csmar-agent关键词时调用。

0· 160·0 current·0 all-time
by@xmpx8

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for xmpx8/csmar-agent.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "csmar-agent" (xmpx8/csmar-agent) from ClawHub.
Skill page: https://clawhub.ai/xmpx8/csmar-agent
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: python3
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install csmar-agent

ClawHub CLI

Package manager switcher

npx clawhub@latest install csmar-agent
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The script posts a query and streams responses, which fits the described purpose of returning financial-report content. However the HTTP endpoint is a hard-coded private IP (http://10.222.21.157:6600/...), not an explicit csmar public API or documented host, which is unusual for a public skill and reduces transparency.
Instruction Scope
Runtime instructions and the script stay within a narrow scope: send the query to the endpoint, stream SSE data, and print content with flush. The skill does not read files, environment variables, or other system state beyond this network call.
Install Mechanism
There is no install mechanism (instruction-only plus a small Python script). Nothing is written to disk beyond the provided script and no external downloads or package installs are requested.
!
Credentials
The skill requests no credentials or environment variables, yet it makes network requests to a hard-coded private IP. Lack of configurability means queries will always be sent to that host; for many users this is unexpected and could leak queries to an untrusted internal service or fail silently. The absence of any declared endpoint/configuration is disproportionate given the network dependency.
Persistence & Privilege
The skill does not request persistent/system privileges, does not set always:true, and does not modify other skills or system settings.
What to consider before installing
This skill will send any query you run through it to the hard-coded internal address http://10.222.21.157:6600 and stream back the response. That may be fine if you run the agent inside the intended network and you trust that service, but it's unusual for a public skill to point to a private IP with no documentation or configuration. Before installing: (1) verify who operates that endpoint and whether it is trusted; (2) consider running the skill in a sandbox or on a machine/network you control; (3) if you expect it to call a public csmar API, ask the author to make the endpoint configurable (via an env var) and add authentication or documentation; (4) avoid sending sensitive queries until you confirm the destination is safe.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🌊 Clawdis
Binspython3
latestvk972w4s2v19vhv65z713e4wcpx839axc
160downloads
0stars
1versions
Updated 22h ago
v1.0.0
MIT-0
@xmpx8
latest
Download

Usage

python3 skills/csmar-agent/scripts/search.py '<query>'

Request Parameters

ParamTypeRequiredDefaultDescription
querystryes-Search query

Examples

# Basic search
python scripts/search.py "平安银行最近三年财报"

Rules

  • Process only events where event_type == "content".
  • Read chunk text from data.payload.content.
  • Print chunks with flush enabled to preserve real-time output.
  • Skip empty or non-string chunk values.
  • Do not print extra wrapping text before or after streamed content.

Expected Output Style

  • Terminal should show content as it arrives.
  • No "summary", "done", or post-processing paragraph.

Comments

Loading comments...