ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

国家统计局数据采集

v1.0.0

国家统计局数据采集技能。当用户需要采集国家统计局(NBS)的宏观经济数据(如GDP、CPI、PPI、产出缺口等)时触发。适用场景包括:(1)采集GDP、CPI、PPI等指标;(2)从国家统计局官网/统计年鉴获取数据;(3)计算产出缺口(HP滤波);(4)整理数据到Excel。本skill包含标准工作流程、数据源U...

0· 70·1 current·1 all-time
byJackie Zhang@yingjie-zhang-dev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code and instructions: scripts and SKILL.md focus on downloading NBS data, computing HP filter, adding charts, verifying links and producing Excel. Network endpoints referenced are the expected NBS domains (stats.gov.cn, data.stats.gov.cn) and examples (Google search). No unrelated cloud credentials, exotic binaries or unrelated services are requested.
Instruction Scope
Instructions remain within the stated purpose (planning → crawl → process → verify → output). However, the SKILL.md and README do not fully declare runtime needs: scripts call curl (via subprocess) and require Python packages (openpyxl, numpy). verify_links.py will extract hyperlinks from a provided Excel file and run curl against them — this behavior is expected for link-checking but means the skill will attempt network connections for any URL present in the spreadsheet (including internal or private URLs).
Install Mechanism
This is an instruction-only skill with no install spec. No third-party archives or arbitrary download+extract steps are used. The risk here is operational: the code expects external Python packages and curl to be available on the host, but the skill does not install them itself.
!
Credentials
The skill requests no environment variables or credentials (good). But verify_links.py will execute curl on every URL it finds in an Excel file; if a user-supplied spreadsheet contains internal network URLs or attacker-controlled endpoints, the script will probe them from the host. That can be used to scan internal services or cause unwanted outbound requests. Also some files contain placeholder/TODO behavior (nbs_crawler returns gdp/cpi fields as None) — not a credential issue but affects usefulness.
Persistence & Privilege
Skill does not request persistent/high privileges or always:true. It writes output/checkpoint files to a local output/ path (normal). It does not modify other skills or system-wide configuration.
What to consider before installing
This skill is generally coherent with its stated purpose, but review and take precautions before running: - Inspect any Excel files you provide: verify_links.py will extract hyperlinks and run curl against each URL. Do not give it spreadsheets containing internal/private URLs (this could cause unwanted internal network probes). - Run the scripts in an isolated environment (sandbox, VM, or container) if you are unsure about network/host exposure. - Ensure required runtime dependencies are present: Python 3.10+, openpyxl, numpy (and optionally scipy if you add it), and the curl binary. The skill does not install these automatically. - Note some crawler functions are placeholders (TODO) and return null values; verify that nbs_crawler actually retrieves data for your target timeframe before relying on outputs. - If you need stricter behavior, consider modifying verify_links.py to whitelist domains (e.g., stats.gov.cn, data.stats.gov.cn) rather than checking all links, or add an option to skip network checks. If you want, I can: (1) list exact commands to create an isolated environment and install dependencies, (2) show the minimal code change to make verify_links.py domain-whitelist-only, or (3) walk through the crawler functions and point out where to implement real API calls.

Like a lobster shell, security has layers — review code before you run it.

chinavk97e420232bqcmbk51cgwn6fzx83xz07datavk97e420232bqcmbk51cgwn6fzx83xz07economyvk97e420232bqcmbk51cgwn6fzx83xz07gdpvk97e420232bqcmbk51cgwn6fzx83xz07latestvk97e420232bqcmbk51cgwn6fzx83xz07nbsvk97e420232bqcmbk51cgwn6fzx83xz07

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments