Metal Price
WarnAudited by ClawScan on May 10, 2026.
Overview
The price-query purpose is coherent, but the skill embeds a website username/password and forces a user-specific export path, so it should be reviewed before use.
Do not use this skill as-is with the embedded login. Ask the publisher to remove the hardcoded username/password, provide your own credentials only through a secure secret mechanism, and confirm the export path and any scheduled automation before running it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may use an account that the installing user does not own, and the credential itself may be exposed to anyone who can view or run the skill.
The skill embeds a concrete website username and password directly in the instructions instead of requiring a user-provided credential or secure credential store.
登录信息 - **用户名**: 13327325057 - **密码**: 1234567890
Remove the hardcoded credential, require each user to provide their own qqthj.com login through a secure secret mechanism, and clearly declare the credential requirement in metadata.
The export may fail on other systems, write into an unexpected local folder, or overwrite an existing file if the agent does not confirm the destination.
The Excel export is expected for the skill, but the required destination is a fixed, user-specific local path rather than a configurable or user-confirmed location.
导出路径 | 固定路径 | **必须**保存到此路径 | C:\Users\wangxiang\Desktop\阶跃产出结果\Excel文件
Make the output directory user-configurable, confirm before writing or overwriting files, and declare any OS/path assumptions.
If enabled later, the skill could continue fetching data on a schedule after the immediate user request is complete.
Scheduled execution is only listed as an extension and no persistence code is present, but it would become background/autonomous activity if implemented.
4. **定时任务**: 设置定时自动执行
Require explicit user opt-in for any scheduled task, document how to disable it, and avoid creating background jobs by default.