ClawHub

Mysteel_ReportWrite

v1.0.0

自动生成大宗商品研究报告,基于钢联数据库实时数据与专业框架;当用户明确要求写报告、撰写研报、生成分析报告等明确表达时使用

0· 65·0 current·0 all-time
bymysteel@wyb92
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill reads a local API key file and calls Mysteel's reporting API (https://mcp.mysteel.com/...) to obtain report outlines — this matches the Skill name/description. No unrelated credentials, binaries, or system paths are requested.
Instruction Scope
Instructions require the agent to read/write references/api_key.md and to run scripts/call_mysteel_api.py via exec_shell. This is coherent with the purpose. Two items to note: (1) the SKILL.md instructs the agent to run exec_shell("python scripts/call_mysteel_api.py --query \"...\"") — if the agent constructs that shell command using unsanitized user input there is potential for shell/command-injection; the Python script itself safely parses the argument but the shell invocation must be escaped. (2) SKILL.md references references/api_usage_guide.md (API usage guide) but that file is not present in the bundle — minor documentation inconsistency.
Install Mechanism
No install spec; instruction-only with an included Python script. No downloads or archive extraction. Dependency on requests library is declared — proportional and expected.
Credentials
No environment variables or additional credentials requested. The skill uses a single local API key file (references/api_key.md) which matches the stated authentication model and is proportionate to the task.
Persistence & Privilege
always is false and the skill does not request system-wide changes or elevated privileges. It may cause the agent to write the api_key file when the user supplies a key — that is expected and scoped to the skill.
Assessment
This skill appears coherent and implements what it claims: it reads a local API key file and sends the user's query to Mysteel's reporting API, returning a JSON outline for the agent to expand into a report. Before installing or using it, consider: (1) Verify you trust the endpoint (https://mcp.mysteel.com/...) and that your API key is legitimate and scoped appropriately. (2) Avoid putting secrets or highly sensitive information in the report query, because those strings will be transmitted to the external API. (3) Ensure the agent’s exec_shell call properly escapes or passes the --query argument (to prevent shell injection) — prefer direct process invocation over unescaped shell interpolation. (4) Confirm you are comfortable the agent will write the API key to references/api_key.md in the skill directory. (5) Note a minor documentation mismatch: a referenced api_usage_guide.md is not included. If these points are acceptable, the skill is consistent with its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bb7s9w6jzsz9axrwwathz1183jd6p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments