quotedance-market
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: quotedance-market Version: 1.0.0 The skill provides market research capabilities by aggregating data from Yahoo Finance, RSS feeds, and a third-party API (quotedance.api.gapgap.cc). It is classified as suspicious because it utilizes risky capabilities, specifically the use of `execFileSync` to execute system-level `curl` commands as a network fallback in `market-scan.js`. While these behaviors are aligned with the stated purpose of fetching financial data, the combination of binary execution, local file system persistence in the `memory/` directory, and outbound network requests to an external service represents a significant attack surface.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled, the skill may run curl to contact configured market/news services, including through a configured proxy.
The script can execute the local curl binary when normal fetch attempts fail, so it has local command-execution behavior even though it is limited to the market-data fetch workflow.
return execFileSync('curl', args, { encoding: 'utf8', stdio: ['ignore', 'pipe', 'pipe'] });Keep curl fallback enabled only if you trust the local environment and proxy configuration; disable enableCurlFallback in config.json if you do not need it.
Your Quotedance API key or proxy settings may be used for the skill's outbound market-data requests.
The code can use environment-provided proxy settings and an API key, but these are expected for accessing the stated market-data service and proxies.
process.env.HTTPS_PROXY || process.env.HTTP_PROXY || process.env.ALL_PROXY || ''; ... const key = CONFIG.apiKey || process.env.QUTEDANCE_API_KEY || ''; if (key) headers['X-API-Key'] = key;
Set only the intended API key/proxy values, and consider adding these optional variables to the skill metadata for clearer disclosure.
Cached market/news data may persist across runs and could influence later reports if stale or manually altered.
The skill documents persistent local files for historical market snapshots and news-source cache.
memory/\n ├── market-YYYY-MM-DD.json # 历史快照\n └── source-cache.json # 资讯源缓存
Review or clear the skill's memory directory if reports appear stale or inconsistent.