70High
The skill is vulnerable to Server-Side Request Forgery
Behavior Analysis
Description verified — behavior matches claim
Claims to do
A股技术分析报告 Skill: 输入股票代码(如 002281)和股票名称(如 光迅科技),自动生成一份结构完整、逻辑清晰、语言专业克制的技术分析报告。
Actually does
The skill uses `openclaw browser` to navigate to Eastmoney stock pages (e.g., `https://quote.eastmoney.com/sz{code}.html`) and capture snapshots. It also makes direct HTTP GET requests to Eastmoney's API (`http://push2.eastmoney.com/api/qt/stock/get?`) to fetch real-time stock and index data. This extracted data, including financial metrics, event information, and market context, is then used to generate a structured technical analysis report based on a predefined template.
Skill Info
Namezhangyuqi98/a-stock-technical-analysis
Registryclawhub
Version1.0.0
PURLpkg:clawhub/zhangyuqi98/a-stock-technical-analysis@1.0.0
Downloads145
Installs1
Source
SHA-256eacfb15d6ccd...
SHA-1c06cb6650a7f...
MD574c9e4a6b6ff...
TLSH4d51b73d2907...
Size2,720 bytes
Install
This skill has been flagged as potentially malicious. Review the findings below before installing.
ClawHubDocs
openclaw skills install zhangyuqi98/a-stock-technical-analysisAssessments (3)
AI Agent Traps ↗Unvalidated user input in external callshighssrf
The skill directly inserts user-provided stock codes into URLs for `openclaw browser navigate` and `http://...` API calls. Without explicit input validation, a malicious user could craft the stock code to perform Server-Side Request Forgery (SSRF), access arbitrary external or internal resources, or potentially inject malicious parameters into the URL.
90% confidenceline 17
openclaw browser navigate https://quote.eastmoney.com/sz{代码}.html, http://push2.eastmoney.com/api/qt/stock/get?secid=0.{代码}&fields=...Markdown injection risk in report generationlowsyntactic masking
The skill generates a report by filling data into a Markdown template (`report-template.md`). If the extracted data (especially from potentially untrusted sources like web pages) is not properly sanitized or escaped before being inserted into the Markdown template, it could lead to Markdown injection in the final report.
70% confidenceline 50
按 references/report-template.md 中的结构填充数据,生成完整报告。
Semantic framing for oversight evasioninfooversight evasion
The skill includes explicit instructions to avoid data fabrication and to append a legal disclaimer. While these are ethical guidelines, they can also serve to semantically frame the agent's output as benign and reduce human oversight scrutiny, even if underlying processes have vulnerabilities.
70% confidenceline 83
不以任何形式编造数据, 报告末尾必须附言:"以上内容仅为技术面分析,不构成投资建议。"
Badge
Markdown
[](https://mondoo.com/ai-agent-security/skills/clawhub/zhangyuqi98/a-stock-technical-analysis)HTML
<a href="https://mondoo.com/ai-agent-security/skills/clawhub/zhangyuqi98/a-stock-technical-analysis"><img src="https://mondoo.com/ai-agent-security/api/badge/clawhub/zhangyuqi98/a-stock-technical-analysis.svg" alt="Mondoo Skill Check" /></a>Image URL
https://mondoo.com/ai-agent-security/api/badge/clawhub/zhangyuqi98/a-stock-technical-analysis.svgSecure your AI agents
Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.
- Continuous scanning of skills across all registries
- Policy enforcement before skills reach your agents
- Integration with your existing security workflow