Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
stock-assistant
v1.2.0A股交易辅助工具,集行情查询、交易记录管理、盈亏分析于一体。 用于:(1) 查询A股实时行情 (2) 管理交易记录 (3) 计算持仓和盈亏 (4) 导入/导出CSV 代码目录:D:\aicode\stock-assistant(跨平台:代码会自动适配路径) 调用方式:from fetcher import get...
⭐ 0· 87·2 current·2 all-time
by退役前写代码的@54meteor
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the included modules: fetcher (行情), trader (交易记录/盈亏), db (SQLite storage), notify (飞书). No unrelated cloud credentials or binaries are required. requirements.txt only lists requests, which is reasonable for HTTP fetching.
Instruction Scope
SKILL.md and CLI only direct the agent to query quotes, read/write a local SQLite DB under data/, import/export CSV, and optionally POST to Feishu endpoints (webhook or private API). There is no instruction to read unrelated system files or environment secrets. Note: CSV samples include fields beginning with '=' (Excel-style formulas) — the importer/exporter do not sanitize leading '=' values, which can cause CSV/Excel injection when a user opens exported/imported CSVs in spreadsheet apps (security/privacy risk). Also SKILL.md repeatedly uses a Windows path (D:\...) in examples; code itself adapts to relative paths — documentation is slightly Windows‑centric but functionally consistent.
Install Mechanism
No install spec that downloads arbitrary code; repository is delivered as code files and a simple requirements.txt (requests). This is low-risk and proportionate for a Python script that performs HTTP requests.
Credentials
The skill declares no required environment variables or primary credential. Feishu integration uses CLI arguments (webhook URL or app_id/app_secret/receive_id) which is reasonable. There are no requests for unrelated credentials (AWS, GitHub tokens, etc.).
Persistence & Privilege
The skill stores data locally in data/trades.db (SQLite) and creates the data directory if missing — expected for a trade-record tool. always:false and no modification of other skills or system-wide agent settings.
Assessment
This skill appears to do what it claims: fetch A‑share quotes, manage/import/export trades, compute P&L, and optionally push to Feishu. Before installing/running: 1) Review and install the Python dependency (requests). 2) Be aware the tool writes a local SQLite DB (data/trades.db) in the project folder — run it in a directory you control. 3) If you use the Feishu features, provide webhook/app credentials only to trusted recipients; the tool will POST data you choose to send. 4) CSV note: sample and import files contain cells starting with '='; exported CSVs may be interpreted as formulas by Excel — consider sanitizing leading '=' if you open CSVs in spreadsheet programs to avoid CSV/Excel injection. 5) If you need higher assurance, inspect the fetcher module (it calls Tencent/EastMoney/Sina endpoints) to confirm acceptable endpoints and behaviour.Like a lobster shell, security has layers — review code before you run it.
latestvk97ej8wpabe8g5kn4vtvby18r583m1pm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.