Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
yanbaoke-research-report-download
v2.1.0从全球行业报告,券商研报,机构深度报告与图表数据聚合AI平台,覆盖5000多家机构,五百万+报告-覆盖全行业深度研究的研报客平台-pc.yanbaoke.cn,研报客app。搜索各行各业的研究报告,获取报告标题、获取报告内容,并可下载报告源文件。
⭐ 0· 22·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, description, and runtime scripts (search.mjs, download.mjs) align: search is public and download requires a YANBAOKE_API_KEY. Required binary (node) and the single env var are appropriate for the stated functionality. Minor inconsistency: package references both api.yanbaoke.cn (API) and app.quzili.cn (installation host).
Instruction Scope
SKILL.md and the scripts themselves only call the yanbaoke API and print results (no unrelated system file reads). However the install instructions (instruct.md / README.md) direct users to curl remote scripts into ~/.openclaw/skills/yanbaoke and to append an API key to ~/.bashrc — these installation-time instructions instruct writing remote code to disk and persisting credentials, which broadens scope beyond runtime needs.
Install Mechanism
There is no formal install spec in the registry; instead instruct.md tells users to download scripts from https://app.quzili.cn. That host is different from the service domain (pc.yanbaoke.cn / api.yanbaoke.cn). Downloading and extracting code from a third-party URL (not a well-known release host) is higher risk and should be treated cautiously.
Credentials
Only one environment variable is required (YANBAOKE_API_KEY), which is appropriate for authenticated downloads. The instructions recommend writing the API key into ~/.bashrc for persistence — convenient but potentially unsafe if the key is sensitive or user system is shared.
Persistence & Privilege
The skill does not request 'always:true' or other elevated platform privileges. The scripts themselves do not modify other skills or system settings. The installation steps (user-run) suggest persisting the API key to shell rc, which increases persistence of secrets but is an installer behavior rather than an automatic privilege escalation.
What to consider before installing
This skill's code (search.mjs and download.mjs) appears to do what the description promises: search and download reports from yanbaoke's API. However, the provided installation instructions tell you to curl scripts from https://app.quzili.cn (a host different from the API domain) into your home directory and to append your API key to ~/.bashrc. Before installing, consider: 1) Verify the installer host and files (app.quzili.cn) — prefer downloading code bundled in the registry or from an official, audited release; 2) Inspect the downloaded scripts locally (search.mjs, download.mjs) before running them; 3) Avoid permanently storing sensitive API keys in ~/.bashrc on multi-user machines — use temporary environment variables or a secrets manager if possible; 4) Confirm that the API endpoints (api.yanbaoke.cn) are legitimate and that pricing/terms are acceptable; 5) If you are uncomfortable with curling remote code, copy the script contents from a vetted source or ask the publisher for a signed release. These concerns make the skill suspicious but not necessarily malicious.scripts/download.mjs:78
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk975m50pv9x9k8ths7ya6jtdqn84572r
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📊 Clawdis
Binsnode
EnvYANBAOKE_API_KEY