by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
Summary of what to check before installing:
- Metadata vs code mismatch: The package documentation expects MX_APIKEY, TUSHARE_TOKEN, and Feishu credentials, but the skill registry did not declare required env vars. Treat the skill as needing API keys and authenticate accordingly.
- Secrets exposure: The skill reads .env and config files and also references other skills by absolute workspace paths. Run it only in an isolated environment (dedicated venv/project) that does not contain unrelated se...详细分析 ▾
⚠ 用途与能力
The declared purpose (generate A‑share morning/evening reports) matches the included code. However the project clearly expects API credentials (MX_APIKEY, TUSHARE_TOKEN) and a Feishu open_id for publishing—yet the registry metadata lists no required env vars or credentials. The code also imports and reuses other local skills (tushare-skills, akshare-cn-market, mx-data/mx-search) via absolute workspace paths, which is disproportionate to a standalone report generator and implies dependency on other skills' configuration/data.
⚠ 指令范围
Runtime instructions and SKILL.md tell the agent to read .env and config/config.yaml, write reports to a base_dir (defaulting to an absolute user path), verify data sources, and optionally publish to Feishu. The code/docs reference reading environment variables and other skills' directories (/Users/yibiao/.openclaw/...), performing network calls to public APIs, and falling back to mock data. The instructions therefore require access to local files and network endpoints beyond simply calling a single external API—raising risk of unintended exposure of other workspace secrets or data.
✓ 安装机制
There is no install spec (instruction-only at registry level) and no remote download in the metadata. That lowers install-time risk: nothing in the registry will be fetched from an arbitrary URL. However the bundle includes many Python scripts (data_fetcher, publisher, etc.) which will be executed if the skill is run; the lack of an explicit install does not remove runtime risk.
⚠ 凭证需求
The skill expects/uses multiple sensitive env vars and tokens (MX_APIKEY, TUSHARE_TOKEN, FEISHU_NOTIFY_OPEN_ID) per SKILL.md/README/DATA_SOURCES.md, yet the registry declares none. The skill also references reuse of globally-configured tokens in other skills (e.g., 'tushare-skills' with an inbuilt token) which could cause it to access credentials that belong to other skills. Asking to read a repository-level .env or other skills' code/configs is broader than the stated purpose and increases the risk of secret exposure.
ℹ 持久化与权限
always:false (no forced permanent inclusion). The skill can be invoked autonomously (default), which is normal for skills. Combined with the above (access to env, other skills, and publishing), autonomous invocation increases blast radius—e.g., the skill could autonomously read .env and publish documents/messages—so run permissions and invocation policies should be considered.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.22026/3/6
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install a-share-daily-report
镜像加速npx clawhub@latest install a-share-daily-report --registry https://cn.longxiaskill.com