俄罗斯血糖检测设备市场调研(即时版)
Security checks across malware telemetry and agentic risk
Overview
This appears to be a coherent report-generation skill that uses Python, local files, and search API credentials for its stated market-research purpose, with a few setup and credential-handling details users should review.
Before installing, use a virtual environment, review the Python commands before execution, replace or remove API keys in data/data_sources.json, and verify generated reports before sharing them. No artifact-backed malicious behavior was found.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may run local Python commands and create report files on your machine.
The skill intentionally relies on Python script execution. This is central to its stated report-generation workflow, but it means users should review commands before running them.
将所有逻辑封装为 Python 脚本,通过 `execute_command` 执行
Run it from the intended skill/project directory, review command arguments, and do not approve unrelated shell commands.
Installing later package versions could change behavior or introduce dependency risk.
The skill depends on remote Python packages with lower-bound version constraints rather than exact pinned versions. This is common for Python tools but gives less reproducible dependency provenance.
requests>=2.28.0 beautifulsoup4>=4.11.0 lxml>=4.9.0 python-docx>=0.8.11
Install in a virtual environment and pin/lock dependency versions if using this for production work.
Search/API queries may be made under the credentials in this file, and providers may log, rate-limit, or bill the associated account.
The skill expects API credentials in a local config file and includes an apparent TGStat API key. API access is purpose-aligned for market research, but plaintext/shared credentials deserve review.
"serpapi": { "key": "YOUR_SERPAPI_KEY" ... }, "tgstat": { "key": "bd97100384734df204bf935b20eee8d7" ... }Replace placeholders with your own keys, remove or replace the embedded TGStat key if not intended, and keep the config file private.