美国市场政策查询Skill
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
API keys or sensitive data-source strings may appear in generated responses, logs, or downstream agent context.
The implementation copies the configured dataSource value into policy objects and top-level results. README examples configure dataSources from API-key environment variables, so a key used as a data source could be exposed in output or cached in memory.
const dataSource = this.config.dataSources[category]; ... dataSource, ... return { ... dataSource, language: this.config.language }Do not put raw API keys in dataSources until this is fixed; credentials should be separated from endpoint names, masked in outputs, and declared explicitly in metadata.
Users may rely on placeholder or mock policy information as if it were fresh AI-backed market analysis, which could affect business or investment decisions.
The README presents the skill as live DeepSeek-backed policy analysis, while the included implementation has no DeepSeek/Huimai dependency or network/API calls and labels data retrieval as simulated.
- 基于DeepSeek v4最新AI模型 - 智能政策分析和趋势预测 - **数据智能体层**:实时采集美国政策数据
Treat outputs as demo data unless the maintainer supplies working data-source/model integration and clearly documents limitations.
A user could accidentally install a different package or an unverified source if they follow the documentation without checking identity.
The documented install/package name differs from the evaluated registry slug `usa-market-policy-2026`, and the registry source/homepage are unknown. No malicious install behavior is shown, but provenance is unclear.
clawhub install usa-policy-query # 或手动安装 npm install usa-policy-query
Verify the package name, publisher, and source repository before installing or entering credentials.