A Stock Trader
PassAudited by ClawScan on May 1, 2026.
Overview
This looks like a local paper-trading helper, not a real trading or credential-stealing tool, but it does fetch public market data, store a local database, and has some minor implementation/provenance caveats.
This appears safe to use as a local educational paper-trading tool if you are comfortable with it creating a database under ~/.openclaw/workspace/a-stock/ and fetching public market data. Do not treat results as investment advice, install Python dependencies from trusted sources, and remember that buy/sell operations affect only the simulated local account.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may not run until dependencies are installed, and dependency versions/sources are left to the user.
The included scripts depend on third-party Python packages, while the registry/install information provides no install spec or pinned dependency versions. This is purpose-aligned, but users must supply and trust those dependencies themselves.
import pandas as pd
Install required packages only from trusted package sources and consider pinning known-good versions.
Bad or altered market data could lead to misleading paper-trading results, though there is no evidence of private data exfiltration or real trading.
Market data is fetched from an external plaintext HTTP endpoint and persisted into the local SQLite database. Backtests and simulations can then rely on that stored data, so inaccurate or tampered data could influence results.
base_url = f"http://push2his.eastmoney.com/api/qt/stock/kline/get"; c.execute('''INSERT OR REPLACE INTO daily_dataTreat outputs as educational, verify data quality for important analysis, and prefer authenticated/HTTPS data sources if available.
Using unusual or adversarial stock-code input could produce incorrect reads from the local paper-trading database.
The stock code argument is interpolated into a SQL query instead of being parameterized. The scope is the skill's local SQLite database, but malformed input could change the query behavior or cause errors.
f"SELECT * FROM daily_data WHERE code='{code}' ORDER BY date"Use normal stock codes; developers should switch this query to parameterized SQL.
Users may expect automatic background operation that is not actually provided, or may enable such behavior without realizing it should be opt-in.
The documentation describes recurring automatic activity, but the provided artifacts do not include an install spec or scheduler implementing it. This is more of a trust/expectation gap than hidden persistence.
系统会自动:/ System will automatically: - 每天收盘后获取当日数据 ... - 每周运行策略回测 ... - 每月生成交易报告
Treat recurring fetches, backtests, or reports as explicit user-approved tasks unless a separate scheduler is clearly configured.