找数据
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only skill is coherently focused on querying commodity market data, with the main caution that it sends user queries to an external API and uses an API key that is not declared in the registry metadata.
Before installing, confirm you are comfortable sending commodity-market queries to api.zhuochuang.com and storing an XZ_APIKEY for that service. The skill appears purpose-aligned and instruction-only, but the metadata should ideally disclose the required API key.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Market-data questions entered by the user may be sent to the Zhuochuang API service.
The skill instructs the agent/user to send queries to an external API. This is expected for real-time commodity data lookup, but it means user queries leave the local environment.
curl -X POST --location 'https://api.zhuochuang.com/openclaw/data-search' ... --data '{"query":"PTA市场价格走势"}'Use the skill for intended market-data queries and avoid including unrelated private or sensitive information in the query text.
Users must provide and store a service credential for the API to work, even though this is not reflected in the metadata requirements.
The skill requires a service API key stored in an environment variable, while the registry metadata says there are no required environment variables and no primary credential.
用户在小卓 Skills 页面获取 `apikey` ... 将 `apikey` 存入环境变量,命名为 `XZ_APIKEY`
The publisher should declare XZ_APIKEY as the required credential/environment variable; users should use a service-specific key and avoid exposing it in logs or shared transcripts.