ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Stock Monitor Skill

v2.0.0

自动监控股票价格,突破阈值时自动发送飞书语音提醒。支持多只股票、自定义阈值、交易时间判断。

0· 393·7 current·7 all-time
by@anightmare2
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (stock monitoring + Feishu voice alerts) align with what the code does: polling public stock APIs and sending voice/text alerts. Required env vars in manifests (FEISHU_* and NOIZ_API_KEY) are plausible for sending TTS via Feishu or a TTS provider.
Instruction Scope
Runtime instructions and scripts focus on reading a stocks.conf and (optionally) holidays.conf, caching to /tmp, calling public stock APIs, and invoking a local send_voice.sh if available. They do not (in the shown code) read unrelated system files or network endpoints beyond stock data and standard services. However SKILL.md and README reference helper files (get_price.sh, notify.sh, config.sh) that are not present in the package (the repo contains fetch_price.sh and monitor.sh), which is an inconsistency that could lead to unexpected behavior or missing functionality.
Install Mechanism
This is instruction-only with no install spec — nothing is downloaded or written by an installer. The scripts use standard tools (curl, bc, jq). This lowers supply-chain risk.
!
Credentials
The skill requires FEISHU_APP_ID/SECRET/CHAT_ID (expected) and NOIZ_API_KEY. FEISHU credentials are sensitive but expected for a messaging/voice skill. NOIZ_API_KEY is a third credential (presumably for a TTS/Noiz AI service); in the visible script the NOIZ_API_KEY is only checked for presence, and its actual usage isn't shown in the truncated code — this raises the question of whether the key will be used only for TTS or for broader calls. Confirm what NOIZ_API_KEY is used for before providing it.
Persistence & Privilege
The skill does not request permanent/global inclusion (always:false) and does not modify other skills' configurations. It writes cache files to /tmp and reads project-local config files; that is expected for a monitoring script.
What to consider before installing
Things to check before installing/using: - Verify which files actually exist in the package: SKILL.md/README mention get_price.sh, notify.sh, and config.sh but the bundle contains fetch_price.sh and monitor.sh; confirm the entry_point (scripts/monitor.sh) is the intended runner and that no missing helper scripts are required. - Inspect any send_voice.sh script you will use (the skill will call ../feishu-edge-tts/scripts/send_voice.sh if that sibling directory exists). If you rely on that, review that script to see how FEISHU_* and NOIZ_API_KEY are used. - Confirm why NOIZ_API_KEY is required and what scope/permissions that key has; avoid reusing high-privilege keys. If you don't have or trust NoizAI, test operation in a safe environment where TTS fallback (echo) is acceptable. - Run the scripts in a sandbox or isolated account first (crontab scheduling can cause repeated network activity). Check logs to ensure credentials are used only for sending alerts and not for uploading data elsewhere. - Because the package is instruction-only and uses network calls, prefer running it on a host where you can monitor outbound traffic and rotate any credentials after testing.

Like a lobster shell, security has layers — review code before you run it.

latestvk972byr8neyedq2p0nmbrgmjcx82gtvd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments