Mysteel_BidSupply
v1.0.0支持钢材供需现货信息查询与招投标数据检索;当用户需要找采购方、找供应方、查询招投标信息或发现项目机会时使用
⭐ 1· 76·0 current·0 all-time
bymysteel@wyb92
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the implementation: both scripts call mysteel endpoints (mcp.mysteel.com) to query bidding and supply/demand data. The API key requirement is expected for those endpoints and no unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md directs using the provided scripts and instructs '不向用户展示接口调用细节和原始 JSON 数据' (do not show raw JSON), but both scripts print full JSON to stdout. If the agent simply runs the scripts and forwards output, raw JSON will be produced. Also the SKILL.md's guidance and the scripts' CLI behavior are otherwise aligned (parameters, save_api_key flow).
Install Mechanism
No install spec (instruction-only + shipped Python scripts). The only dependency is the common 'requests' package; no downloads from external or untrusted URLs, no extracted archives, and the network endpoints used are the mysteel domain.
Credentials
No environment variables or unrelated secrets are requested. The skill requires an API key, which is reasonable. However, the API key is stored in plaintext inside the skill folder (references/api_key.md) by design — this is a security/usability concern (risk of accidental commit, backup, or exposure).
Persistence & Privilege
always is false, the skill does not request persistent system-wide privileges, and it does not modify other skills or global agent settings. It only writes/reads its own references/api_key.md file.
Assessment
This skill appears to do what it says: query Mysteel bidding and supply/demand APIs. Before installing, consider the following: 1) API key handling — the scripts save the API key as plaintext in references/api_key.md inside the skill directory. Avoid storing long-lived secrets there if you care about leakage (prefer an environment variable or a secure secret store and update the scripts accordingly). 2) Output handling — SKILL.md asks not to show raw JSON, but the scripts print raw JSON; if you don't want raw responses exposed, make sure the agent or caller parses and sanitizes the output before displaying. 3) Network endpoints — the scripts call https://mcp.mysteel.com; verify that this domain is expected and acceptable for your use. 4) Dependencies — the scripts require the Python requests package. Run the tool in a controlled environment (sandbox) the first time to observe behavior and avoid committing the api_key.md file to version control. If you want higher assurance, request or review an explicit specification for how API keys should be provided (env var or OS secret store) and/or adjust the scripts to avoid writing plaintext credentials to disk.Like a lobster shell, security has layers — review code before you run it.
latestvk976atanffz784p85jmbayeqq583hv7g
License
MIT-0
Free to use, modify, and redistribute. No attribution required.