📦 Cn Client Investigation - 客户背景调查
v0.9.6客户尽调 针对中国大陆客户进行尽调,执行银行级分析,对中文文本准确性与数据溯源实施严格校验。适用于 A-s...
0· 22·0 当前·0 累计
by 下载技能包
最后更新
2026/4/20
安全扫描
OpenClaw
可疑
high confidenceThe skill's files mostly match a China-market due‑diligence purpose, but the code secretly relies on local OpenClaw config and network credentials (and even disables proxy env vars) while the metadata declares no required credentials or dependencies — these mismatches merit caution before installing.
评估建议
Key things to consider before installing or running this skill:
- The skill metadata declares no required credentials, but the code expects them. Ask the publisher to explicitly list required env vars (e.g. TUSHARE_TOKEN, PRIMEMATRIX_MCP_API_KEY, PRIMEMATRIX_BASE_URL) and explain how they are used.
- The scripts read your ~/.openclaw/openclaw.json to pull MCP API keys and then pass them into subprocesses (node bridge). If you install, inspect that file for secrets and consider using an account ...详细分析 ▾
⚠ 用途与能力
The name/description (China client investigation, banker-grade QA) aligns with included lexicon, PDF/market-data checks, and the provenance/typo-scan tooling. However, the skill's code expects local OpenClaw configuration and external MCP/tokens (e.g. PrimeMatrix bridge, Tushare) while the registry metadata lists no required environment variables or credentials. That mismatch (no declared credentials but code that uses/exports MCP_API_KEY, TUSHARE_TOKEN, and reads ~/.openclaw/openclaw.json) is incoherent and requires explanation.
⚠ 指令范围
SKILL.md describes using web_fetch and specific MCP tools and mandates running provenance/typo scanners — appropriate for the purpose. But runtime instructions and included scripts (e.g. provenance_verify.py, cn_typo_scan.py, build_deck.py, bj_smoke_v2.py) read local config, shell out to node/bridge processes, and expect the agent or operator to edit skill files (e.g. add lexicon entries by editing references/cn-lexicon.js). Allowing automated edits to shipped skill files and reading ~/.openclaw/openclaw.json expands scope beyond 'analysis only' and should be explicitly documented/justified.
ℹ 安装机制
There is no install spec (instruction-only), but many included scripts require runtime dependencies (node + pptxgenjs, python3 + python-pptx and other python libs) and expect certain files at user-specific paths. The absence of a declared install step or dependency list is a practical gap: users must manually satisfy runtime deps, and the skill bundle contains executable scripts that will be used at runtime.
⚠ 凭证需求
The registry metadata declares no env vars; yet scripts reference and use credentials: bj_smoke_v2.py reads TUSHARE_TOKEN (with a hard-coded default token), multiple scripts read ~/.openclaw/openclaw.json to obtain 'PRIMEMATRIX_MCP_API_KEY' and 'PRIMEMATRIX_BASE_URL' and then pass them into subprocesses (node bridge). Additionally, bj_smoke_v2.py explicitly pops HTTP_PROXY/HTTPS_PROXY/ALL_PROXY from os.environ, preventing proxy routing (this is a red flag because it bypasses local proxy/monitoring). These behaviors (undeclared credential use, hard-coded token, and proxy removal) are disproportionate unless the skill explicitly documents which secrets it needs and why.
ℹ 持久化与权限
always:false and user-invocable are appropriate. The skill does read user config (~/.openclaw/openclaw.json) and writes deliverable files and lexicon edits into the skill's files/directories — expected for a tool that maintains a lexicon. It does not declare modifying other skills or system-wide settings. Still, allowing agent-driven editing of files included in the skill gives it write capability to its own code bundle and should be scoped/controlled.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.9.62026/4/20
**Major update: Adds comprehensive banker-grade safeguards for China mainland client investigation workflows.** - Introduces strict Chinese text accuracy controls: disallows `\uXXXX` escapes and mandates a hard-coded reference lexicon for all key terms. - Enforces multi-source data provenance: every financial figure must be cross-verified from at least two independent sources, tracked in an auditable provenance file. - Embeds mandatory typo and accuracy gates using Python scripts (`provenance_verify.py`, `cn_typo_scan.py`); deliverables cannot ship without passing these checks. - Specifies source-data prioritization hierarchy for China company research, with fallback rules if data is unavailable. - Requires English name primary, Chinese name secondary formatting on deck covers to reduce typo risk. - Clearly prohibits fabrication of missing data; outputs must flag gaps transparently.
● 可疑
安装命令
点击复制官方npx clawhub@latest install cn-client-investigation
镜像加速npx clawhub@latest install cn-client-investigation --registry https://cn.longxiaskill.com