Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
A Stock
v0.1.1A股金融数据查询与分析助手。当用户询问任何与A股相关的问题时,使用此技能——包括:查询个股信息、实时行情、分时走势、龙虎榜、行业板块、盘口异动、市场总貌等。触发词包括但不限于:股票、A股、沪市、深市、行情、涨停、跌停、板块、龙虎榜、盘口异动、个股、股价、总市值、证券,或任何带有6位股票代码的查询(如 600519...
⭐ 0· 78·0 current·0 all-time
by@wwzzsl
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, the included scripts, and the declared API host (api.aipmedia.cn) are consistent: the skill needs an ASTOCK_API_KEY and the TypeScript client calls that host. However, the top-level registry metadata (shown to you earlier) claims 'Required env vars: none' and 'Required binaries: none', while SKILL.md and scripts require ASTOCK_API_KEY and Node/npx. That metadata mismatch is an incoherence (likely sloppy packaging) that you should verify.
Instruction Scope
SKILL.md gives narrow, explicit runtime instructions: always run the included TypeScript client with npx tsx, obtain ASTOCK_API_KEY from .env or environment, and only call api.aipmedia.cn. The client code only reads ASTOCK_API_KEY (from .env in working dir or parent, or from env), performs an HTTP GET, and prints the returned data. There are no instructions to read or transmit other local files.
Install Mechanism
There is no external install/download step: the repo includes an instruction file and a single scripts/api-client.ts. No remote installers, archives, or obscure URLs are used. This is lower risk from an install-mechanism perspective.
Credentials
The skill legitimately requires a single API key (ASTOCK_API_KEY) for the stated API, which is proportionate. The concern is twofold: (1) the registry metadata omitted declaring the required env var and required runtime (Node/npx), making the package metadata inconsistent; (2) the script searches for .env in the current and parent directory, which could accidentally pick up an unrelated .env file containing other secrets if you run it from an unexpected location. The client sends the API key as a header to api.aipmedia.cn — you must trust that host and the key usage.
Persistence & Privilege
The skill does not request permanent presence (always:false) and the script does not persist secrets or modify other agent configuration. It reads the API key at runtime and does not write it or other data to disk.
What to consider before installing
What to check before installing/using: 1) Confirm the skill source (review the GitHub repo at the provided homepage) to ensure it matches the package you installed. 2) Verify the metadata mismatch: SKILL.md requires ASTOCK_API_KEY and Node/npx, but registry metadata omitted these — treat that as a packaging error and confirm requirements. 3) Avoid running the script from directories containing other .env files with unrelated secrets; prefer setting ASTOCK_API_KEY as an explicit environment variable or create a dedicated project directory with a minimal .env. 4) Inspect scripts/api-client.ts yourself (it is short): it only reads ASTOCK_API_KEY and calls https://api.aipmedia.cn; if you trust that service, the behavior is consistent. 5) If you have concerns about leaking the API key, isolate the process (container/VM) or review network egress controls; otherwise the key will be sent to api.aipmedia.cn as intended. 6) If you want higher assurance, ask the publisher to fix the package metadata to declare required env vars and runtime binaries. If any of these points are unclear or you want help checking the repo contents or running the script in a safe environment, I can assist.scripts/api-client.ts:49
Environment variable access combined with network send.
scripts/api-client.ts:40
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97dftbenv584fptqgm0fyh9r183ayym
License
MIT-0
Free to use, modify, and redistribute. No attribution required.