礼部侍郎 - 盘前作战地图
AdvisoryAudited by Static analysis on May 8, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a different or compromised local skill provides that api_client.py file, this skill may run unreviewed code when generating the report.
The skill can automatically add another local skill's scripts directory to Python's import path and execute api_client code if that path exists. This helper dependency is not declared in SKILL.md or manifest.json.
custom_path = os.path.join(os.path.expanduser("~/.openclaw/skills"), "tushare-finance", "scripts") ... sys.path.insert(0, custom_path)
import api_clientUse only the packaged or pip-installed Tushare client in release builds, or clearly declare this cross-skill dependency and require explicit user opt-in before loading it.
Using the skill can lead to paid orders or subscriptions if the user approves the ClawTip payment flow.
The skill explicitly uses an agent-mediated ClawTip payment flow, including a per-use and monthly paid SKU.
单次体验 | ¥0.8/次 ... 月度订阅 | ¥9.9/月 ... 让你的 AI Agent 调用 ClawTip 技能: clawtip order_no=<订单号> indicator=400faf113c6f265b64c639c67fc91b12
Confirm the order amount, SKU, recipient, and subscription terms before allowing any agent to invoke ClawTip or complete payment.
Payment-related secrets and order credentials are involved, so accidental sharing of environment variables or order files could expose payment verification material.
The payment module reads a ClawTip SM4 key from the environment and relies on local payment credential files for verification.
_SM4_KEY_BASE64 = os.environ.get("CLAWTIP_SM4_KEY") ... ClawTip Agent 读取订单,完成支付,回写 payCredentialSet payment keys only in the intended environment, avoid sharing ~/.openclaw/skills/orders files, and remove stale order files if no longer needed.