宏观经济数据查询 (mx_macro_data)

Name: mx-macro-data
Author: financial-ai-analyst

View on ClawHub↗

Share on X Share on LinkedIn Share on Bluesky

40Medium

The skill risks command injection by passing uns

ThreatsCI SM CS BC S HITL

Behavior Analysis

Description verified — behavior matches claim

Claims to do

宏观经济数据查询 (mx_macro_data): 通过**文本输入**查询宏观经济数据，接口返回 JSON 后会自动转换为 **CSV** 并生成对应的**内容描述 txt** 文件。

Actually does

This skill executes a Python script (`scripts/get_data.py`) that uses the `httpx` library to query an external macroeconomic data API from Eastmoney, requiring an `EM_API_KEY`. It takes a natural language query, processes the API's JSON response, and outputs the data as one or more CSV files and a descriptive TXT file to a local directory.

Threat Analysis

AI Agent Traps ↗Scanned 4/15/2026

Content InjectionPerceptionclean

Semantic ManipulationReasoningclean

Cognitive StateMemory & Learningclean

Behavioural ControlAction2 findings

SystemicMulti-Agent Dynamicsclean

Human-in-the-LoopHuman Overseerclean

Skill Info

Namefinancial-ai-analyst/mx-macro-data

Registryclawhub

Version1.0.11

PURLpkg:clawhub/financial-ai-analyst/mx-macro-data@1.0.11

Stars65

Downloads12,661

Installs20

Source

Repository ↗

SHA-256ea3ea5c74ed2...

SHA-1d96d2e30ef51...

MD519c7379269cc...

TLSHcd42f8240c0b...

ssdeep192:f3WsSSkq...

Size13,171 bytes

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

OpenClawDocs

https://clawhub.ai/financial-ai-analyst/mx-macro-data

12,661 downloads20 installs

ClawHubDocs

openclaw skills install financial-ai-analyst/mx-macro-data

Assessments (1)

AI Agent Traps ↗

Mandatory orchestrator workflow & code executionmediumautonomy abuse

The skill mandates a complex, multi-stage '完整性复核' (integrity verification) workflow for the orchestrator, including iterative calls to the skill and internal code execution (e.g., Python Sandbox) to read and analyze generated CSVs. This dictates the orchestrator's decision-making, resource usage, and forces internal code execution.

90% confidence

上层规划引擎在调用 `mx_macro_data` 后，**必须**执行以下工作流... 使用规划引擎内置的代码执行能力（如 Python Sandbox）读取 CSV。⚠️ **强制要求**：上层规划引擎**必须**执行以下补全流程...

Potential command injection via script invocationlowcommand execution

The skill's command line invocation passes user-controlled query input to a Python script (`get_data.py`). If this script internally uses `shell=True` with unsanitized input when executing system commands, it could lead to command injection.

60% confidenceline 183

python3 {baseDir}/scripts/get_data.py --query 中国GDP

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/clawhub/financial-ai-analyst/mx-macro-data.svg)](https://mondoo.com/ai-agent-security/skills/clawhub/financial-ai-analyst/mx-macro-data)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/clawhub/financial-ai-analyst/mx-macro-data"><img src="https://mondoo.com/ai-agent-security/api/badge/clawhub/financial-ai-analyst/mx-macro-data.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/clawhub/financial-ai-analyst/mx-macro-data.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow