礼部侍郎 - 盘前作战地图
PassAudited by VirusTotal on May 8, 2026.
Overview
Type: OpenClaw Skill Name: libu-premarket Version: 14.0.0 The bundle is a legitimate A-share market analysis tool ('礼部侍郎') that provides stock screening based on financial and technical data. It implements a commercial micro-payment system (ClawTip) using SM4 encryption (payment_utils.py) to verify user subscriptions, which is clearly documented in SKILL.md. The main script (pre_market.py) fetches market data from reputable sources like Tushare, Tencent, and Sina, and includes robust features such as local technical indicator calculation, data caching, and environment dependency checks. No evidence of malicious intent, data exfiltration, or harmful prompt injection was found; the requested permissions for network, file, and environment access are consistent with the tool's stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a different or compromised local skill provides that api_client.py file, this skill may run unreviewed code when generating the report.
The skill can automatically add another local skill's scripts directory to Python's import path and execute api_client code if that path exists. This helper dependency is not declared in SKILL.md or manifest.json.
custom_path = os.path.join(os.path.expanduser("~/.openclaw/skills"), "tushare-finance", "scripts") ... sys.path.insert(0, custom_path)
import api_clientUse only the packaged or pip-installed Tushare client in release builds, or clearly declare this cross-skill dependency and require explicit user opt-in before loading it.
Using the skill can lead to paid orders or subscriptions if the user approves the ClawTip payment flow.
The skill explicitly uses an agent-mediated ClawTip payment flow, including a per-use and monthly paid SKU.
单次体验 | ¥0.8/次 ... 月度订阅 | ¥9.9/月 ... 让你的 AI Agent 调用 ClawTip 技能: clawtip order_no=<订单号> indicator=400faf113c6f265b64c639c67fc91b12
Confirm the order amount, SKU, recipient, and subscription terms before allowing any agent to invoke ClawTip or complete payment.
Payment-related secrets and order credentials are involved, so accidental sharing of environment variables or order files could expose payment verification material.
The payment module reads a ClawTip SM4 key from the environment and relies on local payment credential files for verification.
_SM4_KEY_BASE64 = os.environ.get("CLAWTIP_SM4_KEY") ... ClawTip Agent 读取订单,完成支付,回写 payCredentialSet payment keys only in the intended environment, avoid sharing ~/.openclaw/skills/orders files, and remove stale order files if no longer needed.