Capital Market Report
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: capital-market-report Version: 4.132.1 The skill bundle contains a shell injection vulnerability in 'generate-report.py' where 'subprocess.run(shell=True)' is used to execute commands constructed via string formatting with potentially variable inputs (e.g., stock symbols). The 'SKILL.md' file provides the AI agent with high-privilege instructions, including the authority to execute various local scripts and delete files within the workspace memory directory ('~/.openclaw/workspace-group/memory/') for cleanup purposes. While these capabilities are aligned with the stated goal of generating capital market reports, the combination of insecure coding practices and broad file/execution permissions creates a significant attack surface. The scripts fetch data from legitimate financial news sources such as Sina Finance, Wall Street CN, and various international RSS feeds.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run local market-news scanning tools as part of producing a report.
The skill directs the agent to execute local scraper commands. This is central to the stated market-report purpose, but users should understand that installing/invoking the skill may run local scripts and make external news requests.
You must run the following information scraping tools: ... uv run scripts/news-processor.py ... uv run ~/.openclaw/skills/stock-analysis/scripts/hot_scanner.py
Use the skill when you want this behavior, and review or restrict the referenced tools if you do not want automated market/news fetching.
Report generation may depend on other installed skills whose behavior is outside this review.
The code relies on other local skill scripts outside this package, and the registry metadata does not declare required binaries or install requirements. This is purpose-aligned for market data, but those helper scripts are not reviewed in these artifacts.
script_path = "~/.openclaw/skills/tencent-finance-stock-price/scripts/query_stock.py" ... script_path = "~/.openclaw/workspace-group/skills/cryptoprice/scripts/cryptoprice.py"
Install only trusted companion skills and verify that required tools such as uv/Python and referenced market-data skills are present and expected.
Previous report content may affect what the skill includes or excludes in later reports.
The skill intentionally reuses prior report files to compute 24-hour deltas. This is scoped and purpose-aligned, but persistent report context can influence later outputs if earlier reports are stale or inaccurate.
Reports are stored in `~/.openclaw/workspace-group/memory/capital_market_report_*.md` ... Read every report whose timestamp is within 24 hours
Keep generated reports source-backed, and clear the related memory/cache files if prior reports become inaccurate or should not influence future summaries.