Metal Price

全球铁合金网价格查询与导出技能。自动登录www.qqthj.com网站，查询指定金属(如锰铁、钒铁等)的当日价格数据，抓取价格表格并导出为Excel文件。

This skill's behavior (logging into an external site and saving files to a specific user's Desktop) is coherent with scraping metal prices, but there are red flags you should resolve before installing: - The SKILL.md contains hard-coded login credentials. Ask the publisher why fixed credentials are embedded and never use skills that ship with unknown account/password pairs. Prefer skills that prompt you to supply your own credentials or use stored, auditable secrets. - The export path is hard-coded to another user's Desktop (C:\Users\wangxiang\...). That means files will be written to a specific location which likely doesn't exist on your machine and may indicate the author tailored the skill to their environment. Require the skill to accept a configurable path instead. - The instructions are vague about how the agent will perform browser automation (selenium, puppeteer, headless browser, or remote calls). Ask how automation is implemented and run the skill in a restricted sandbox (isolated account, network monitoring) until you trust it. - Confirm the legality and terms-of-service of scraping www.qqthj.com. If you proceed, provide your own credentials and a safe, configurable export directory; review network and filesystem activity during the first runs. Given these inconsistencies (embedded creds, fixed path, and vague execution method) I rate the skill as suspicious. If the author clarifies that the credentials are placeholders, makes the output path configurable, and documents the automation tool used, the risk would be reduced.

Type: OpenClaw Skill Name: metal-price Version: 1.0.0 The skill is classified as suspicious due to two key vulnerabilities found in SKILL.md: hardcoded login credentials (username and password) for the target website, and a hardcoded, specific user desktop path (`C:\Users\wangxiang\Desktop\阶跃产出结果\Excel文件`) for saving the output Excel file. While the skill's stated purpose of web scraping metal prices is benign, these practices introduce security risks (e.g., credential exposure, potential permission issues or unintended file placement) without clear evidence of intentional malicious behavior like data exfiltration or system compromise.