Elon马斯克情报内参
v1.0.10实时追踪Elon Musk及其企业动态,提供每日AI生成的投资情报摘要和市场影响分析。
⭐ 0· 395·2 current·2 all-time
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The description promises real-time tracking of Elon Musk and AI-generated investment intelligence, but the provided runtime behavior is a minimal demo HTTP service that returns static example JSON and a sample payment link. The shipped code does not implement scraping, data feeds, or model inference, so the implementation is inconsistent with the claimed purpose.
Instruction Scope
SKILL.md instructs running bare.py and documents simple endpoints, which matches bare.py. However there is a second service file (main.py) not referenced by SKILL.md; main.py contains a hard-coded SKILLPAY_API_KEY and FastAPI endpoints. The presence of an unreferenced file with a secret expands the runtime surface beyond the documented instructions.
Install Mechanism
No install spec (instruction-only) — lowest install risk. A requirements.txt lists fastapi and uvicorn which are unnecessary for the documented entrypoint (bare.py) but required by main.py. This mismatch suggests leftover or alternate runtime expectations.
Credentials
requires.env lists none, yet main.py contains a hard-coded SKILLPAY_API_KEY (sensitive credential) baked into source. The skill both exposes a secret in-repo and fails to declare any credential usage, which is disproportionate and risky (possible leakage or misuse).
Persistence & Privilege
The skill is not set to always:true and is user-invocable. It runs an HTTP server bound to configured ports (reads many common PORT env names) which is expected for an HTTP skill. No other privileged platform modifications are present.
What to consider before installing
Do not install or enable this skill without clarification. Questions and actions to consider before proceeding:
- Ask the publisher to explain why the codebase includes two entry files (bare.py and main.py) and which one is intended to run.
- Require removal of hard-coded credentials (SKILLPAY_API_KEY) and rotation of that key if it is real; secrets must be provided via environment variables and declared in metadata.
- Verify the skill's source and homepage; source is unknown and the package claims capabilities (real-time tracking, AI analysis) that are not implemented.
- If you still want to test, run it in a sandboxed environment with restricted network access and monitor outbound traffic to ensure it doesn't contact unexpected endpoints.
- Prefer a version with reproducible provenance, no embedded secrets, and documentation that matches the actual runtime behavior.Like a lobster shell, security has layers — review code before you run it.
latest
MuskInsider Pro
简介
提供一个最小可运行的 HTTP 技能服务,返回演示用的马斯克资讯简报数据与支付链接样例。无外部爬虫与模型推理,纯演示接口。
接口
- GET
/或/health:服务健康检查,返回{"status":"ok","project":"MuskInsider"} - GET
/invoke:返回当日简报预览的演示 JSON - POST
/invoke:返回支付链接的演示 JSON(SkillPay 样例 URL)
运行
- 启动:
python bare.py - 监听:默认
0.0.0.0:8080(若平台未注入端口变量,将同时尝试 8080/8000/3000)
版本
- v1.0.1
Comments
Loading comments...