礼部侍郎 - 盘前作战地图
ReviewAudited by ClawScan on May 10, 2026.
Overview
The paid stock-report features are mostly disclosed, but the runtime code also tries to load code from another local skill folder that is not clearly declared to users.
Review or disable the custom import from ~/.openclaw/skills/tushare-finance/scripts before use, run the skill in a controlled environment, and manually approve any ClawTip payment or subscription only after checking the amount and terms.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a different or compromised local skill provides that api_client.py file, this skill may run unreviewed code when generating the report.
The skill can automatically add another local skill's scripts directory to Python's import path and execute api_client code if that path exists. This helper dependency is not declared in SKILL.md or manifest.json.
custom_path = os.path.join(os.path.expanduser("~/.openclaw/skills"), "tushare-finance", "scripts") ... sys.path.insert(0, custom_path)
import api_clientUse only the packaged or pip-installed Tushare client in release builds, or clearly declare this cross-skill dependency and require explicit user opt-in before loading it.
Using the skill can lead to paid orders or subscriptions if the user approves the ClawTip payment flow.
The skill explicitly uses an agent-mediated ClawTip payment flow, including a per-use and monthly paid SKU.
单次体验 | ¥0.8/次 ... 月度订阅 | ¥9.9/月 ... 让你的 AI Agent 调用 ClawTip 技能: clawtip order_no=<订单号> indicator=400faf113c6f265b64c639c67fc91b12
Confirm the order amount, SKU, recipient, and subscription terms before allowing any agent to invoke ClawTip or complete payment.
Payment-related secrets and order credentials are involved, so accidental sharing of environment variables or order files could expose payment verification material.
The payment module reads a ClawTip SM4 key from the environment and relies on local payment credential files for verification.
_SM4_KEY_BASE64 = os.environ.get("CLAWTIP_SM4_KEY") ... ClawTip Agent 读取订单,完成支付,回写 payCredentialSet payment keys only in the intended environment, avoid sharing ~/.openclaw/skills/orders files, and remove stale order files if no longer needed.