📊 yanbaoke-research-report-download — 研报下载神器

v2.1.0

一键检索并下载全球5000+机构、500万+行业研报，含券商、智库深度报告及图表，支持标题、内容提取与源文件保存。

0· 89·0 当前·0 累计

by @yanbaoke

数据分析文档工具网络工具文件处理

下载技能包

最后更新

2026/4/3

安全扫描

VirusTotal

Pending

查看报告

OpenClaw

可疑

medium confidence

NULL

评估建议

This skill's code (search.mjs and download.mjs) appears to do what the description promises: search and download reports from yanbaoke's API. However, the provided installation instructions tell you to curl scripts from https://app.quzili.cn (a host different from the API domain) into your home directory and to append your API key to ~/.bashrc. Before installing, consider: 1) Verify the installer host and files (app.quzili.cn) — prefer downloading code bundled in the registry or from an official...

详细分析 ▾

ℹ 用途与能力

The skill's name, description, and runtime scripts (search.mjs, download.mjs) align: search is public and download requires a YANBAOKE_API_KEY. Required binary (node) and the single env var are appropriate for the stated functionality. Minor inconsistency: package references both api.yanbaoke.cn (API) and app.quzili.cn (installation host).

⚠ 指令范围

SKILL.md and the scripts themselves only call the yanbaoke API and print results (no unrelated system file reads). However the install instructions (instruct.md / README.md) direct users to curl remote scripts into ~/.openclaw/skills/yanbaoke and to append an API key to ~/.bashrc — these installation-time instructions instruct writing remote code to disk and persisting credentials, which broadens scope beyond runtime needs.

⚠ 安装机制

There is no formal install spec in the registry; instead instruct.md tells users to download scripts from https://app.quzili.cn. That host is different from the service domain (pc.yanbaoke.cn / api.yanbaoke.cn). Downloading and extracting code from a third-party URL (not a well-known release host) is higher risk and should be treated cautiously.

ℹ 凭证需求

Only one environment variable is required (YANBAOKE_API_KEY), which is appropriate for authenticated downloads. The instructions recommend writing the API key into ~/.bashrc for persistence — convenient but potentially unsafe if the key is sensitive or user system is shared.

ℹ 持久化与权限

The skill does not request 'always:true' or other elevated platform privileges. The scripts themselves do not modify other skills or system settings. The installation steps (user-run) suggest persisting the API key to shell rc, which increases persistence of secrets but is an installer behavior rather than an automatic privilege escalation.

⚠ scripts/download.mjs:78

Environment variable access combined with network send.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv2.1.02026/4/3

NULL

● Pending

安装命令

点击复制

官方npx clawhub@latest install yanbaoke-research-report-download

镜像加速npx clawhub@latest install yanbaoke-research-report-download --registry https://cn.longxiaskill.com镜像同步中

需要定制？告诉我你的需求 →

数据来源：ClawHub ↗ · 中文优化：龙虾技能库