📦 Blacksnow — 风险信号捕捉
v0.1.0扫描人类、法律及运营系统中的早期风险信号,将其转化为机器可读、可交易的风险元数据,助力机构提前规避损失。
0· 1.6k·0 当前·0 累计
by 下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
medium confidenceThe skill's stated purpose (ingest public, low‑signal data and produce tradable risk primitives) aligns with the presence of harvester/pipeline code, but the runtime instructions are vague, credential/config requirements are undeclared, and the code artifacts (memory, webhook, harvester) create opportunities for scope creep and unexpected data access/storage.
评估建议
This skill bundles code that scrapes/harvests, stores memory, and sends webhooks but declares no required credentials or install steps — that's a red flag. Before installing: 1) Review the scripts (harvester*, pipeline.py, memory.py, webhook.py) to confirm what endpoints are contacted, what is persisted, and whether any default URLs or keys are embedded. 2) Verify how the skill enforces its 'forbidden' list (no PII, no paywalled sources) — there is no technical proof in SKILL.md. 3) If you don't...详细分析 ▾
⚠ 用途与能力
Name/description match the included scripts (harvester, pipeline, webhook, memory). However, the SKILL.md declares no required credentials or config paths while the codebase implies network I/O, data storage, and potential external integrations (monetization, streaming). The monetization and integration claims (real-time streaming, tradebot/hedgecore integration) suggest external API keys and credentials which are not declared — an incoherence that reduces transparency.
⚠ 指令范围
SKILL.md gives high-level agent roles but not bounded runtime instructions. Phrases like 'collects obscure, legally accessible data exhaust from approved domains' grant the agent broad latitude about what to fetch and from where. The skill claims to forbid private or paywalled sources, but there is no concrete enforcement mechanism described. Presence of memory.py and webhook.py suggests the runtime could persist or exfiltrate data or open network endpoints; those operations are not scoped or constrained in the instructions.
✓ 安装机制
No install spec is provided — the skill is instruction/code-only and does not download arbitrary binaries during install. That lowers installation risk. All code is bundled with the skill (scripts/*), so there are no external download URLs in the manifest to flag.
⚠ 凭证需求
The manifest declares no required environment variables or primary credentials, yet the functionality (webhooks, streaming outputs, integrations with trading/monetization endpoints) implies the need for API keys, access tokens, or destination URLs. The lack of declared env requirements is disproportionate and reduces the user's ability to audit what secrets the skill will need or access.
ℹ 持久化与权限
always is not set and disableModelInvocation is not set (default enabled), so the model could invoke this skill autonomously. That is common for integration skills, but given this skill's potential to collect, store, and forward ambient signals, you should be aware the agent may trigger network I/O and data storage without additional explicit settings. The skill does include a memory component, indicating persistence capability.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.02026/2/7
BlackSnow 0.1.0 – Initial Release - Launches an economic sensor skill for early, pre-news ambient risk detection. - Ingests fragmented, legally accessible data across operational, legal, and human systems. - Applies ontology fusion, Bayesian accumulation, and forecasting for predictive risk vector surfacing. - Structures outputs as machine-readable, tradable primitives for finance, insurance, logistics, and policy use. - Clearly defines allowed/forbidden data sources, monetization tiers, and compliance/ethical constraints. - Lists integration points and status as sandbox, gated onboarding, and requiring audit.
● 可疑
安装命令
点击复制官方npx clawhub@latest install blacksnow
镜像加速npx clawhub@latest install blacksnow --registry https://cn.longxiaskill.com