← Back to Skills Marketplace
Metal Price
by
wangxiang2023
· GitHub ↗
· v1.0.0
524
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install metal-price
Description
全球铁合金网价格查询与导出技能。自动登录www.qqthj.com网站,查询指定金属(如锰铁、钒铁等)的当日价格数据,抓取价格表格并导出为Excel文件。
Usage Guidance
This skill's behavior (logging into an external site and saving files to a specific user's Desktop) is coherent with scraping metal prices, but there are red flags you should resolve before installing:
- The SKILL.md contains hard-coded login credentials. Ask the publisher why fixed credentials are embedded and never use skills that ship with unknown account/password pairs. Prefer skills that prompt you to supply your own credentials or use stored, auditable secrets.
- The export path is hard-coded to another user's Desktop (C:\Users\wangxiang\...). That means files will be written to a specific location which likely doesn't exist on your machine and may indicate the author tailored the skill to their environment. Require the skill to accept a configurable path instead.
- The instructions are vague about how the agent will perform browser automation (selenium, puppeteer, headless browser, or remote calls). Ask how automation is implemented and run the skill in a restricted sandbox (isolated account, network monitoring) until you trust it.
- Confirm the legality and terms-of-service of scraping www.qqthj.com. If you proceed, provide your own credentials and a safe, configurable export directory; review network and filesystem activity during the first runs.
Given these inconsistencies (embedded creds, fixed path, and vague execution method) I rate the skill as suspicious. If the author clarifies that the credentials are placeholders, makes the output path configurable, and documents the automation tool used, the risk would be reduced.
Capability Analysis
Type: OpenClaw Skill
Name: metal-price
Version: 1.0.0
The skill is classified as suspicious due to two key vulnerabilities found in SKILL.md: hardcoded login credentials (username and password) for the target website, and a hardcoded, specific user desktop path (`C:\Users\wangxiang\Desktop\阶跃产出结果\Excel文件`) for saving the output Excel file. While the skill's stated purpose of web scraping metal prices is benign, these practices introduce security risks (e.g., credential exposure, potential permission issues or unintended file placement) without clear evidence of intentional malicious behavior like data exfiltration or system compromise.
Capability Assessment
Purpose & Capability
The skill claims to scrape prices from www.qqthj.com and export to Excel — the steps in SKILL.md align with that purpose. However, the inclusion of a hard-coded username and password and a mandatory, user-specific export path (C:\Users\wangxiang\...) are unexpected for a generic scraping/export tool and are not justified by the description.
Instruction Scope
The instructions direct automated login, navigation, scraping, and writing an .xlsx to a fixed local path. They provide CSS selectors but no concrete, safe method for automation (no mention of which tool to use). This vagueness gives the agent broad discretion (e.g., executing arbitrary browser automation), and the forced write location is intrusive.
Install Mechanism
Instruction-only skill with no install steps or third-party downloads; nothing is written to disk by an installer. This lower install surface reduces risk.
Credentials
No required environment variables are declared, yet plaintext login credentials are embedded in SKILL.md. Embedding an account/password directly in the instructions and requiring a specific user desktop path are disproportionate and suspicious. It's unclear whether the credentials are legitimate/test or stolen.
Persistence & Privilege
always is false and the skill does not request system-wide or cross-skill configuration changes. It does, however, instruct writing to a specific local path which would require filesystem write permission when executed.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install metal-price - After installation, invoke the skill by name or use
/metal-price - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
全球铁合金网价格查询与导出技能
Metadata
Frequently Asked Questions
What is Metal Price?
全球铁合金网价格查询与导出技能。自动登录www.qqthj.com网站,查询指定金属(如锰铁、钒铁等)的当日价格数据,抓取价格表格并导出为Excel文件。 It is an AI Agent Skill for Claude Code / OpenClaw, with 524 downloads so far.
How do I install Metal Price?
Run "/install metal-price" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Metal Price free?
Yes, Metal Price is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Metal Price support?
Metal Price is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Metal Price?
It is built and maintained by wangxiang2023 (@wangxiang2023); the current version is v1.0.0.
More Skills