Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ai-market-report
v1.0.1AI 陪伴软件市场调研日报全自动生成。适用场景: - 用户说「生成AI陪伴软件类产品市场调研报告」「做一份 AI 陪伴软件日报」 - 用户说「调研 AI companion 市场」「生成 XX 产品的调研报告」 - 用户说「生成AI陪伴市场报告」且涉及 App Store 数据、MAU、营收、估值 - 用户要求「...
⭐ 0· 62·0 current·0 all-time
by@vae2024
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with the files: it collects App Store + news data and renders Markdown→HTML/PDF. However the SKILL.md and references expect external search tooling (a 'tavily-search' skill) and network calls; those capabilities are plausible for this purpose but are not declared in the skill's metadata (no required binaries or dependencies listed).
Instruction Scope
SKILL.md explicitly instructs the agent to read and invoke another skill's files (/root/.openclaw/workspace/skills/tavily-search/SKILL.md and node scripts) and run curl commands against external APIs. That means the skill expects access to other skill directories and to execute arbitrary node scripts — broader scope than a self-contained report generator. The instructions also require generating and reading files under the workspace; they do not ask for secrets, but permit executing external search code.
Install Mechanism
There is no install spec (instruction-only + included Python script), which is low-risk in general. But the included generate_report.py imports WeasyPrint and the documentation mentions Node, curl, and WeasyPrint—none of which are declared in registry metadata. The absence of an install/dependency declaration is inconsistent and could lead to missing runtime requirements or unexpected behavior.
Credentials
The skill does not request environment variables, credentials, or config paths. It reads files under the workspace and uses public web APIs (iTunes) and other skill scripts; these are appropriate for the stated data-collection purpose and no secrets are requested.
Persistence & Privilege
always is false and the skill does not request persistent/privileged presence or modify other skills' configuration. It does instruct reading other skills' files and executing their scripts, which is normal for modular tooling but increases the operational blast radius if those other skills are untrusted.
What to consider before installing
This skill appears to do what it says (collect App Store + news data and build PDF reports), but be aware of two issues before installing: (1) undeclared runtime requirements — the script and docs expect Python3+WeasyPrint, curl, and Node; the skill metadata lists none. Ensure those binaries and libraries are present and from trusted sources. (2) cross-skill execution — the instructions tell the agent to read and run scripts from /root/.openclaw/workspace/skills/tavily-search; verify that the referenced 'tavily-search' skill exists and inspect its code (and any node scripts it runs) before allowing execution, since this skill will invoke them and they may perform arbitrary web requests or processing. Recommended actions: review the full generate_report.py (untruncated), inspect the tavily-search skill code, confirm WeasyPrint/node/curl availability, and run the script in a sandboxed environment or with network monitoring the first time.Like a lobster shell, security has layers — review code before you run it.
latestvk976trfyya1btcefjvk0h2dcqn83ztnm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.