ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

找数据

v1.0.0

查询大宗商品市场价格、库存、成本、进出口等实时数据。覆盖能源、化工、钢铁、有色、农产品等1200+种商品。当用户询问价格、报价、库存、成本、利润、供需数据、市场数据、期货现货价格、历史走势、PTA/聚乙烯/原油等具体商品价格时使用。避免AI使用过时或非权威数据来源。

0· 61·0 current·0 all-time
by@zhaifb
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes querying a commodity-data API (1200+ products) and the examples show POST requests to https://api.zhuochuang.com/openclaw/data-search — this is coherent with the skill's stated purpose. However, the registry metadata declares no required environment variables or primary credential, while the SKILL.md explicitly instructs users to provide an API key (XZ_APIKEY). That metadata mismatch is unexpected.
Instruction Scope
Runtime instructions are narrowly scoped: set an XZ_APIKEY env var (or use a local API if present) and POST queries to the stated zhouchuang API endpoint. The instructions do cause user queries (potentially sensitive) to be transmitted to an external service, which is expected for a remote-data skill but worth noting. There is no instruction to read unrelated local files or credentials, aside from '检查本地 API 是否存在' (check for a local API), which is vague but not clearly malicious.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so it does not write binaries or archives to disk. That reduces install-time risk.
!
Credentials
The instructions require an API key in environment variable XZ_APIKEY, but the registry lists no required env vars or primary credential. The skill will transmit queries and that API key to api.zhuochuang.com; requiring one API key for a remote data service is reasonable, but the metadata omission is a red flag (it prevents automated policies from recognizing the need for a secret and prevents users from seeing what will be used).
Persistence & Privilege
The skill is not marked always:true and does not request any special persistence or system-wide configuration. Default autonomous invocation is allowed (disable-model-invocation is false), which is normal for skills and not by itself a concern.
What to consider before installing
Before installing: verify the publisher and the API endpoint (api.zhuochuang.com), and ask the publisher to update registry metadata to declare XZ_APIKEY as a required credential. Only provide an API key you trust and scope it with the least privileges possible. Do not send sensitive or confidential queries to this skill unless you trust the provider and the network destination. If you already supplied a key for testing and later have doubts, rotate/revoke it. Because the source/homepage are missing, treat this package with caution and request publisher provenance or a homepage before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e930kppxqmahg4f1tympeax83ggsx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

小卓找数据 Skill (xz_data)

根据用户问句查询相关市场数据,获取价格、库存、成本等结构化数据,并返回可读的文本内容。

能力概述

多维数据,随问随取。

打通卓创全品类大宗商品数据体系,覆盖 1200+ 种商品25大行业。整合期现货价格、供需库存、成本利润、进出口、宏观经济及产业调研等全维度信息,数据更新及时、来源可溯、专业可靠。支持多维度灵活查询、历史趋势回溯、最新数据追踪,有效解决数据缺失、可信度低等痛点,为您提供坚实数据支撑。

关键词:1200+商品、25大行业、更新及时、可溯可靠

使用方式

  1. 获取 API Key

    • 用户在小卓 Skills 页面获取 apikey

  2. 配置环境变量

    • apikey 存入环境变量,命名为 XZ_APIKEY
    • 检查本地 API 是否存在,若存在可直接使用

  3. 发送请求

    • 使用 POST 请求(务必使用 POST)

调用示例

cURL

curl -X POST --location 'https://api.zhuochuang.com/openclaw/data-search' \
--header 'Content-Type: application/json' \
--header 'apikey: ${XZ_APIKEY}' \
--data '{"query":"PTA市场价格走势"}'

Python

import os
import requests

api_key = os.environ.get('XZ_APIKEY')
url = 'https://api.zhuochuang.com/openclaw/data-search'

headers = {
    'Content-Type': 'application/json',
    'apikey': api_key
}

data = {
    'query': 'PTA市场价格走势'
}

response = requests.post(url, headers=headers, json=data)
print(response.json())

问句示例

类型示例问句
市场价格PTA最新市场价格、原油今日报价
企业报价中石化PE出厂价、万华化学MDI报价
国际动态国际原油最新价格、LNG到岸价
库存成本聚乙烯社会库存、甲醇生产成本
综合查询近一周PTA价格变化、华东市场PVC库存

返回说明

字段路径简短释义
productName产品名称
price当前价格
priceUnit价格单位(元/吨、美元/桶等)
region地区信息
updateTime数据更新时间
trend价格趋势(上涨/下跌/持平)
changeValue涨跌值
changePercent涨跌幅
inventory库存数据(如有)
costData成本相关数据(如有)

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…