Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Tw Monthly Revenue
v1.0.0台股月營收抓取與分析。從公開資訊觀測站(MOPS)取得上市/上櫃公司當月營收,計算YoY/MoM年增率與月增率,輸出BEAT/MISS/NEUTRAL信號。用於:(1)月營收公布後自動分析 (2)觸發投資Pipeline決策 (3)更新ANALYSIS_INDEX監控條件
⭐ 0· 36·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Description and SKILL.md claim data comes from the public MOPS site and that the skill is used to 'trigger investment Pipeline decisions' and 'update ANALYSIS_INDEX', but the included script actually uses the FinMind API as its data source and only prints JSON to stdout. The claimed integrations (pipeline triggering / index updating) are not implemented in code — the script simply queries FinMind and prints results. This is an incoherence between stated purpose and actual capabilities.
Instruction Scope
Runtime instructions only tell the agent/user to run the included Python script (paths are explicit). The script only performs outbound HTTPS queries to FinMind, computes YoY/MoM and signals, and prints JSON. It does not read other files, environment variables, or system state. The minor scope issue: SKILL.md references MOPS as the source while the code uses FinMind (documentation mismatch).
Install Mechanism
No install spec — instruction-only with one included Python script. Nothing is downloaded or written during an install step.
Credentials
The skill requests no environment variables, no credentials, and no config paths. The script uses a public FinMind endpoint with an empty token by default, so no secrets are requested or needed.
Persistence & Privilege
Skill is not always-enabled and does not modify other skills or global agent config. It runs only when invoked.
What to consider before installing
This skill is plausible and not obviously malicious, but be aware of two practical inconsistencies before installing or using it:
- Data source mismatch: the SKILL.md/description mention MOPS (公開資訊觀測站) but the script queries the FinMind API. If you require MOPS-origin data, verify FinMind's coverage/accuracy or change the script to your desired source.
- Overclaimed integrations: the description says it will 'trigger investment Pipeline decisions' and 'update ANALYSIS_INDEX', but the included code does not call any pipeline or external monitoring service — it only prints JSON. You will need to implement connector code if you want automated downstream actions.
Operational notes:
- The script makes outbound HTTPS calls to api.finmindtrade.com; run it in an environment where outbound network access and API terms are acceptable.
- No credentials are requested, and the script does not persist or exfiltrate data beyond printing results to stdout, but review and test it in an isolated environment if you have stricter controls.
- If you plan to integrate this into automated trading pipelines, add proper error handling, authentication for any downstream actions, and logging/alerting; verify financial/legal requirements for automated decisioning.
If you want a more definitive assessment, provide any additional SKILL.md versions or external documentation showing intended integration endpoints, or confirm whether you expect MOPS (HTML/scrape) rather than FinMind API as the canonical data source.Like a lobster shell, security has layers — review code before you run it.
latestvk977nbtadatdybrn752tjj25dd84tp1m
License
MIT-0
Free to use, modify, and redistribute. No attribution required.