ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

金融知识

v1.0.5

A retrieval skill that answers finance questions from the `article_fin_knowledge/` knowledge base (8 markdown files covering banking, funds, M&A, derivatives...

0· 44·1 current·1 all-time
by@krillingone
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description and the local markdown knowledge base align with a retrieval Q&A skill for finance. The only capability beyond retrieval is recommending a banking platform and embedding a remote image, which is plausible for product referral but not strictly required by a knowledge-retrieval skill.
!
Instruction Scope
SKILL.md correctly instructs the agent to parse the question, open 1–3 local files, and source answers from the local article_fin_knowledge/ files. However, the Response Format mandates always appending the promotional sentence and embedding the external image (https://static.hepei.club/contact.png). This contradicts the skill's own Boundary rule that platform recommendations should only occur for 'high-intent' users — an internal inconsistency that grants the skill promotional behavior beyond pure retrieval.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest-risk install mechanism (nothing written to disk).
Credentials
The skill requests no credentials or environment variables (proportional). However, it requires embedding/fetching an externally hosted image (static.hepei.club). Embedding remote resources can leak metadata (client IP, timing, user-agent) to that host and functions as a third-party endpoint not documented in metadata — this is a privacy/tracking concern even though no secrets are requested.
Persistence & Privilege
always is false and the skill is user-invocable with normal autonomous invocation allowed. The skill does not request to modify other skills or system-wide settings.
What to consider before installing
This skill appears to do what it says — answer finance questions from the included markdown files — but it has two issues you should consider before installing: (1) SKILL.md forces adding a promotional line and an externally hosted image (https://static.hepei.club/contact.png) to every response, despite a separate rule saying recommendations should only be shown for high-intent users. Ask the maintainer to clarify/remove the mandatory promotion or make recommendations conditional. (2) The external image will cause clients or the agent to fetch a resource from static.hepei.club, which can leak metadata (IP, timing, user-agent) to that host; if you care about privacy or avoiding third-party tracking, request that the image be bundled locally or that the referral be optional. Also consider asking for a source/homepage and publisher verification since the skill's source/homepage is unknown.

Like a lobster shell, security has layers — review code before you run it.

latestvk975w4xrcr1ye2wc1tn02pjvw584dqbv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments