by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This package appears to be a straightforward TickFlow HTTP client, but the registry entry is missing the fact that it requires TICKFLOW_API_KEY and the source/homepage is unknown. Before installing or supplying an API key: 1) Verify the skill's origin (repo/owner) and prefer published code from a known source; 2) Inspect the included scripts yourself (they're short and readable) to confirm no hidden endpoints; 3) Provide a least-privilege TickFlow API key (or a scoped/test key) rather than a hig...详细分析 ▾
ℹ 用途与能力
The skill's name/description match the included Python scripts: they call TickFlow endpoints for quotes and K-lines and return summaries/tables/JSON. However, the registry metadata lists no required environment variables or primary credential while the SKILL.md and code clearly require an API key (TICKFLOW_API_KEY). This omission is an incoherence between declared metadata and actual capability.
✓ 指令范围
SKILL.md and the scripts keep to the stated scope: they read an API key from the environment, call TickFlow endpoints (defaults to https://api.tickflow.org), validate and format responses, and avoid writing the API key to disk or logs. The runtime instructions do not ask the agent to read unrelated files or send data to unexpected endpoints.
✓ 安装机制
There is no install spec (instruction-only skill with Python scripts included). Nothing in the manifest downloads or writes remote archives; the code is local and uses standard library urllib for network calls. This is the lower-risk install pattern, but note the repository/source is unknown.
⚠ 凭证需求
The code requires a secret API key via the environment variable TICKFLOW_API_KEY (resolve_api_key raises if missing). Yet the registry metadata did not declare any required env or primary credential. Asking for an API key is reasonable for this purpose, but the metadata omission is a red flag — the skill will fail without the key and the registry listing does not surface that it needs credential input.
✓ 持久化与权限
The skill does not request always:true, does not modify other skills or system config, and does not persist credentials itself. It behaves as a normal, user-invoked client script.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.02026/3/20
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install tickflow-realtime
镜像加速npx clawhub@latest install tickflow-realtime --registry https://cn.longxiaskill.com