ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

A Stock Trader

v1.0.1

A股模拟交易系统 - 数据爬取、存储、策略回测、模拟交易 / A-Share Paper Trading System - Data Fetch, Storage, Backtest, Simulation

2· 333·2 current·2 all-time
by@bombfuock
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description describe data fetch, storage, backtest and simulation; included scripts (fetch_daily.py, backtest.py, simulate.py) implement those features. Required env vars/binaries/config paths are none and align with a local simulation tool.
Instruction Scope
SKILL.md and examples limit actions to running the bundled scripts and write data under ~/.openclaw/workspace/a-stock/. The docs claim scheduled automatic tasks (daily/weekly/monthly), but no installer or scheduler is provided — automatic scheduling appears to be a documentation statement rather than implemented behavior. Code performs network fetching (requests to East Money API) and local DB reads/writes as expected. Also note minor coding concerns: backtest.py builds an SQL query via f-string (pandas.read_sql) which could allow injection if untrusted input is fed into the script; fetch/backtest/simulate expect CLI args and local DB, so risk is limited to local execution context.
Install Mechanism
No install spec; this is instruction + bundled scripts only. Nothing is downloaded or extracted during install, which minimizes persistence/supply-chain risk.
Credentials
No environment variables, credentials, or config paths are requested. The code makes outbound HTTP requests to East Money (push2his.eastmoney.com) which is consistent with the stated data source and does not require credentials.
Persistence & Privilege
Skill is not always-enabled and does not request elevated privileges or modify other skills. It writes data only under the user home workspace path (~/.openclaw/workspace/a-stock/).
Assessment
This skill appears internally consistent for a local paper‑trading tool. Before running: (1) review the scripts yourself and run them in an isolated environment (VM/container) since they perform network requests and write to ~/.openclaw/workspace/a-stock/; (2) be aware data is fetched from East Money (push2his.eastmoney.com) — if you need privacy or different data sources, modify fetch_daily.py; (3) note the docs mention scheduled tasks but no scheduler is installed automatically — you must set up cron/systemd timers yourself if desired; (4) consider the small coding issues (unparameterized SQL in backtest.py) and avoid feeding untrusted inputs to the CLI; (5) no credentials are requested, but monitor outbound network activity if that concerns you.

Like a lobster shell, security has layers — review code before you run it.

latestvk9775j871jpvs2xrbqtg7rt7x582bfxn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments