ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Beta Market Brief

v1.0.0

Generate a concise Chinese market brief for the trader agent using Tiger API first and Yahoo Finance as supplement. Use for hourly market snapshots, trader b...

0· 37·0 current·0 all-time
by@1477009639zw-blip
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description match the goal (Tiger API + Yahoo Finance). However, the skill requires running a specific local script in /Users/zhouwen/.openclaw/..., which is not justified by the metadata (no install, no required env). Referencing a private absolute path is disproportionate and not portable.
!
Instruction Scope
The SKILL.md commands the agent to always execute an absolute path to a Python script in a user's home directory. That gives the skill the ability to run arbitrary code and access local files/credentials via that script; the skill does not document what the script does or what data it will read or transmit.
!
Install Mechanism
There is no install spec (instruction-only), which is low risk in general, but here the runtime instruction forces execution of an existing local binary/script. That effectively delegates execution risk to an opaque file on disk and should be treated as an install/exec risk.
!
Credentials
The skill declares no required environment variables or credentials, yet it instructs use of Tiger API (which normally requires keys). This implies the local script must contain or fetch credentials; the skill provides no justification or declaration for that access, which is disproportionate and opaque.
Persistence & Privilege
The skill does not request always:true and does not declare persistent installation. It is user-invocable and can be invoked autonomously by the agent (default), which increases the impact of the other concerns but is not itself a misconfiguration here.
What to consider before installing
This skill asks your agent to run an opaque Python script located in /Users/zhouwen/.openclaw/..., which may execute arbitrary code and access local credentials. Before installing or enabling it: (1) refuse automatic execution until you can inspect the script; (2) locate and manually review /Users/zhouwen/.openclaw/workspace-papertrader/scripts/tiger_market_brief.py to see what it does (network calls, file reads, credential usage); (3) ensure credentials (Tiger API keys, etc.) are stored and used intentionally — the skill declares none; (4) prefer a skill that either (a) calls Tiger/Yahoo via documented API calls with declared env vars, or (b) includes a safe install step that you control; (5) if you must run it, run the script in a sandboxed environment and monitor outbound connections. If you cannot inspect the referenced script or confirm its behavior, do not enable this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e2058nbe204ndrvk5z96yr183sbysmarket-analysisvk97e2058nbe204ndrvk5z96yr183sbysresearchvk97e2058nbe204ndrvk5z96yr183sbysspxvk97e2058nbe204ndrvk5z96yr183sbystiger-apivk97e2058nbe204ndrvk5z96yr183sbystradingvk97e2058nbe204ndrvk5z96yr183sbys

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments