ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Simple Tech Analyzer

v1.0.0

提供MACD、KDJ、RSI和成交量的基础技术指标分析及买卖信号提示,支持实时交易时段更新。

0· 76·1 current·1 all-time
byjialun@15910701838
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description promise MACD, KDJ, RSI and real‑time updates. The shipped code implements MACD, RSI and volume ratio but does NOT compute KDJ and uses daily bars (category '日线') rather than an obvious real‑time feed. The code requires a module '@tdx-local' (presumably to access 通达信 data) but the skill metadata lists no dependencies or install steps. These mismatches mean the skill may not deliver what it advertises or may fail at runtime.
Instruction Scope
SKILL.md is lightweight and instructs how to ask for an analysis and advertises an external paid upgrade link. It states the data source is '通达信本地数据', which aligns with the code's require('@tdx-local'). However SKILL.md does not tell the user they must have a local TDX service or the '@tdx-local' package available, which is an operational gap. The upgrade link directs users off-platform — this is promotional but not direct exfiltration.
!
Install Mechanism
There is no install spec despite an included index.js that requires '@tdx-local'. Without an install or declared dependency, the skill may fail at runtime or assume platform-provided modules. The absence of an install step for a nonstandard module is an incoherence and a deployment risk (not necessarily malicious).
Credentials
The skill requests no environment variables, credentials, or config paths. The code does not read env vars or secrets. This is proportionate to the stated (simple) functionality.
Persistence & Privilege
The skill does not request elevated persistence (always is false) and does not modify other skills or system settings. Autonomous invocation is allowed (platform default) but not combined with other high-risk flags.
What to consider before installing
Before installing, know that: (1) the code does not implement KDJ even though the description claims it, and it fetches daily bars not obvious real‑time ticks — so 'real‑time updates' may be misleading; (2) index.js requires a nonstandard module '@tdx-local' but the skill provides no install instructions or declared dependency — confirm whether your environment supplies that module or how it should be installed; (3) the SKILL.md contains a paid upgrade link (external site) used for lead generation — be cautious about sending private data there; (4) the skill asks for no secrets, and the code does not appear to exfiltrate data, but test it in a safe environment first. If you need full functionality (KDJ, true intraday updates), request the author clarify dependencies and update the code/manifest to match advertised features.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b0dfjrnb8hrbh4kt4s1dyps83d5rt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments