美国市场政策查询Skill
PassAudited by VirusTotal on Apr 30, 2026.
Overview
Type: OpenClaw Skill Name: usa-market-policy-2026 Version: 1.0.0 The skill bundle is a functional template or mock implementation for a US market policy analysis tool. The code in index.js and test.js contains no actual network requests, file system access, or sensitive data handling; instead, it returns hardcoded mock data and provides basic language switching and caching logic. There are no signs of malicious intent, data exfiltration, or harmful prompt injection in SKILL.md or README.md.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
API keys or sensitive data-source strings may appear in generated responses, logs, or downstream agent context.
The implementation copies the configured dataSource value into policy objects and top-level results. README examples configure dataSources from API-key environment variables, so a key used as a data source could be exposed in output or cached in memory.
const dataSource = this.config.dataSources[category]; ... dataSource, ... return { ... dataSource, language: this.config.language }Do not put raw API keys in dataSources until this is fixed; credentials should be separated from endpoint names, masked in outputs, and declared explicitly in metadata.
Users may rely on placeholder or mock policy information as if it were fresh AI-backed market analysis, which could affect business or investment decisions.
The README presents the skill as live DeepSeek-backed policy analysis, while the included implementation has no DeepSeek/Huimai dependency or network/API calls and labels data retrieval as simulated.
- 基于DeepSeek v4最新AI模型 - 智能政策分析和趋势预测 - **数据智能体层**:实时采集美国政策数据
Treat outputs as demo data unless the maintainer supplies working data-source/model integration and clearly documents limitations.
A user could accidentally install a different package or an unverified source if they follow the documentation without checking identity.
The documented install/package name differs from the evaluated registry slug `usa-market-policy-2026`, and the registry source/homepage are unknown. No malicious install behavior is shown, but provenance is unclear.
clawhub install usa-policy-query # 或手动安装 npm install usa-policy-query
Verify the package name, publisher, and source repository before installing or entering credentials.