Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Investage Temp
v1.0.0價值投資每日追蹤系統 - 整合估值、技術分析、情緒分析,輸出綜合評分報告並發送 Email。適用於個人投資組合追蹤。
⭐ 0· 58·0 current·0 all-time
by@arbiger
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (daily portfolio tracking, analysis, and email reports) aligns with the code. However, the code contains hardcoded database credentials (host=localhost, database=investage, user=george) and hardcoded RECIPIENTS emails inside scripts rather than reading config.yaml or environment variables as the SKILL.md implies. The SKILL.md instructs exporting PGHOST/PGDATABASE/PGUSER and using config.yaml, but the main scripts ignore those environment variables and the example config, which is incoherent and could cause surprising behavior or accidental use of the developer's defaults.
Instruction Scope
SKILL.md tells the user to set env vars, create DB tables, and configure config.yaml, and to use the 'gog' CLI for email. The runtime scripts, however, directly connect to a local PostgreSQL database using hardcoded credentials and call the 'gog' CLI via subprocess without declaring it as a requirement. The scripts access external network services (yfinance, Reddit, Polymarket) — which is expected for data gathering — but these outbound requests and email-sending behavior are not clearly represented in the registry metadata or required environment list. The SKILL.md's instructions and the code's behavior diverge in ways that give the agent broad discretion (DB writes, email sending, external network calls).
Install Mechanism
There is no install spec (instruction-only), which minimizes direct install-time risk. However, the skill depends on system-level components not declared in the registry: PostgreSQL availability, Python packages (yfinance, psycopg2, requests, pandas, numpy), and the 'gog' command-line tool for sending email. Those missing/undeclared dependencies create operational surprise and elevated risk if users assume no extra tools are required.
Credentials
Registry metadata lists no required environment variables or credentials, but the code uses a hardcoded DB_CONFIG and hardcoded email recipients and a hardcoded GOG_ACCOUNT. The SKILL.md suggests using PGHOST/PGDATABASE/PGUSER and config.yaml, but the script implementations ignore those and use embedded values. This mismatch is disproportionate and potentially dangerous: secrets or private holdings could be stored/sent to the developer's defaults if left unchanged. The skill also sends reports externally via email (gog), which means data collected locally will be transmitted off-host.
Persistence & Privilege
always:false (no forced persistence). The skill can be invoked autonomously (disable-model-invocation:false), which is the platform default. This combined with the ability to send emails and write to a DB increases blast radius, but autonomous invocation alone is not unusual. The skill does not request to modify other skills or system config files.
What to consider before installing
This skill mostly matches its description (portfolio tracking + analysis + email reports) but contains inconsistencies that you should resolve before using it:
- Inspect and edit the scripts: replace hardcoded DB credentials (user 'george', empty password) and RECIPIENTS with values from a config.yaml or secure environment variables. The current defaults look like developer/test values and could leak data or cause accidental writes to an unintended database.
- Declare and install required dependencies: PostgreSQL, Python libs (yfinance, psycopg2, pandas, numpy, requests), and the 'gog' CLI. SKILL.md mentions gog but the skill registry did not list it as a required binary.
- Understand data flows: the skill fetches external data (yfinance, Reddit, Polymarket) and will send HTML reports via the 'gog' email CLI to the configured recipients. If you run this on a machine with sensitive holdings data, ensure email recipients are correct and that network calls are acceptable.
- Run initially in a sandboxed environment and with a test config (no real holdings, test email) to confirm behavior. Review and create the needed DB tables (the SKILL.md shows some SQL but the code expects additional tables like thesis_history and portfolio_snapshot).
- If you lack confidence editing the code, consider not installing or ask the author to provide a version that reads credentials from config.yaml/environment and documents all external dependencies.
Because of these mismatches and hardcoded defaults, treat the skill as suspicious until you fix or verify its configuration.Like a lobster shell, security has layers — review code before you run it.
latestvk97e150c4dpjk4dz1sjp3wg4g583jhfw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.