Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Stock Selecter
v3.3.2统一选股技能包,整合14种策略(ROE筛选、MACD底背离、高股息、低估值、 费雪成长股、长期低位、近期放量、趋势分析、K线形态、布林带下轨、筹码集中、 现金流质量、北向资金、股东增持、分析师目标价),支持单策略、多策略组合筛选。 触发词(精准触发,覆盖明确选股意图): 按策略名:ROE选股、ROE筛选、MACD...
⭐ 0· 61·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, CLI usage, SKILL.md, and the included Python code consistently implement a multi-strategy stock screener using Tushare data. The requested Python dependencies (pandas, numpy, requests, tushare) are proportionate to the stated functionality. However, the registry metadata claims no required environment variables while the code clearly requires a TUSHARE token (read from environment TUSHARE_TOKEN or config.json). This metadata mismatch is an incoherence that should be corrected.
Instruction Scope
The SKILL.md instructions and code are focused on screening stocks and generating reports. Runtime instructions reference only the Tushare API, config.json, and local output files (JSON/CSV/HTML). The skill explicitly excludes individual stock/price queries and doesn't instruct unrelated file reads or sending data to unknown external endpoints beyond the documented data source.
Install Mechanism
No remote install/downloads are specified; the package is delivered as code with a requirements.txt listing standard Python packages (tushare, requests, pandas, numpy, scipy). This is a normal distribution model (source bundle + pip deps) and not high-risk by itself.
Credentials
The code requires a TUSHARE token (via environment variable TUSHARE_TOKEN or config.json) to call the data API, but the skill metadata declared 'Required env vars: none' — an inconsistency. Critically, stock_utils.py sets the TUSHARE_API_URL to 'http://api.tushare.pro' and POSTs the token over plain HTTP, exposing the token to network eavesdropping or MitM. Using an unencrypted transport for an API token is a substantive security concern and disproportionate risk relative to the stated purpose.
Persistence & Privilege
The skill does not request always:true, does not claim to modify other skills or global agent settings, and is user-invocable only. It writes result files to an output directory (default Desktop) which is expected behaviour for a reporting tool but worth noting.
What to consider before installing
This package largely does what it says (a multi-strategy stock screener) and requires installing Python dependencies and supplying a Tushare token. Before installing or running it: 1) Be aware you must provide a TUSHARE token (either set environment variable TUSHARE_TOKEN or put it in config.json) — the registry metadata omits this requirement, so double-check you supply it. 2) The code currently posts the token to http://api.tushare.pro (plain HTTP). That can expose your token in transit; prefer to change the endpoint to HTTPS (https://api.tushare.pro) or otherwise confirm the transport is secure before using a real token. 3) Review output_dir default (Desktop) and change it if you don't want results saved to that location. 4) Install dependencies in an isolated environment (virtualenv) and scan the provided files yourself for any hardcoded endpoints or secrets. If you need higher assurance, ask the publisher to (a) correct the metadata to declare the required env var, and (b) update the code to use HTTPS and document the exact endpoints used.Like a lobster shell, security has layers — review code before you run it.
latestvk97a52rvzrv0494tx15k6gqkw584pest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.