Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
港股日内交易复盘
v1.0.3基于盘前选股和实时行情,自动生成港股日内交易买入、卖出、止损价格及复盘结果,支持飞书消息推送。
⭐ 0· 72·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description (HK intraday selection, price calculation, and post‑trade review with Feishu push) matches the behavior in the code: scripts fetch realtime market data, compute buy/sell/stop prices, generate reports and push notifications. However the registry metadata claims 'required env vars: none' and 'instruction-only', while multiple scripts clearly use environment variables (TUSHARE_TOKEN) and push to Feishu — this is a mismatch.
Instruction Scope
SKILL.md instructs running the included Python scripts and running curl against EastMoney/Tencent endpoints — that is within the described purpose. But the instructions and scripts reference reading/writing local files under the skill tree (output/picks, data/*.json) and performing network calls to multiple external services (eastmoney, qt.gtimg, Yahoo, Tushare, Feishu). The SKILL.md and registry do not declare or warn about required credentials (TUSHARE_TOKEN) or webhook URLs; the code may attempt outbound calls to those endpoints when run.
Install Mechanism
Registry lists no install spec (instruction-only). Yet SKILL.md and code expect Python runtime plus third‑party libraries (requests, easyquotation, possibly tushare). Dependencies are not declared in metadata (no requirements.txt, no install steps in registry). That mismatch means an operator might run scripts without reproducing required environment or vetting dependencies; missing dependency declarations lower transparency and increase risk.
Credentials
The package metadata lists no required environment variables, but code references TUSHARE_TOKEN (os.getenv) and includes code paths that send Feishu notifications (save_results calls _send_feishu_notification). Those are credential-bearing endpoints (API token, webhook) and are proportional for a skill that pushes messages and optionally queries Tushare, but they should be declared. The absence of declared primaryEnv or required env variables is an incoherence. Also scripts make outbound HTTP requests to multiple public endpoints — expected for market data but worth noting.
Persistence & Privilege
The skill does not request always:true and does not appear to modify other skills or system-wide agent settings. It writes files only within its own data/output directories (performance_tracking.json, picks files). No elevated persistence or cross-skill configuration changes were observed in the provided files.
What to consider before installing
This package is inconsistent: metadata claims 'no env vars' and 'instruction-only', but multiple included Python scripts perform network calls and expect credentials (e.g., TUSHARE_TOKEN) and will send Feishu notifications. Before running or installing: 1) Inspect the functions that perform outbound requests (_send_feishu_notification and any code that posts to external URLs) to confirm where data is sent. 2) Do not provide real API tokens/webhooks until you review and trust the code — consider using dummy tokens in a sandbox. 3) Ensure you install and audit required Python dependencies (requests, easyquotation, tushare) from trusted sources, or run inside an isolated environment/container. 4) If you plan to run automated cron tasks, test scripts interactively first and verify they only write into the skill's own directories. 5) Ask the publisher for a declared list of required env vars and a requirements.txt or installation steps; absence of that information is a red flag. If you want, I can (a) list every place the code contacts external endpoints and which env vars it reads, or (b) point out the exact files/functions that trigger notifications so you can inspect them in detail.Like a lobster shell, security has layers — review code before you run it.
hk-stockvk97ewtpbzhj52c74dbth81djz183jysalatestvk97ewtpbzhj52c74dbth81djz183jysareviewvk97ewtpbzhj52c74dbth81djz183jysatradingvk97ewtpbzhj52c74dbth81djz183jysa
License
MIT-0
Free to use, modify, and redistribute. No attribution required.