ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

fetch-stock-daily

v1.0.0

Resolve a China A-share stock name or code in pure Node.js, fetch daily historical bars from Eastmoney HTTP APIs, and archive them as local JSON files. Use w...

0· 117·0 current·0 all-time
by@chenchunjiekk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included Node.js script and README: resolving CN A‑share names/codes, calling Eastmoney list and historical kline APIs, and saving JSON archives. No unrelated credentials, binaries, or install steps are requested.
Instruction Scope
SKILL.md and the script stick to the stated workflow (resolve symbol -> fetch -> map rows -> write archive). The script performs network requests to eastmoney endpoints and reads/writes files under the repo (data/cache and data/raw). This file I/O and network access are expected for the task but are the primary side effects to be aware of.
Install Mechanism
Instruction-only skill with a bundled Node.js script and no install spec; nothing is downloaded or installed at runtime by the skill itself (lowest install risk).
Credentials
The skill declares no required environment variables or credentials. The code does not request or read external secrets; it only uses process.cwd() for local cache/archive paths.
Persistence & Privilege
The skill is not always-enabled and uses default autonomous invocation settings (normal). It does create persistent local files (cache and archived JSON) within the repository workspace; it does not modify other skills or system-wide config.
Assessment
This skill appears coherent and limited to fetching data from Eastmoney and writing local JSON files. Before installing, ensure you are comfortable with: (1) network calls to push2.eastmoney.com and push2his.eastmoney.com, (2) creation of files under data/cache/eastmoney and data/raw/eastmoney in your working directory (the script will cache symbol lists and archive results), and (3) running the script with a Node.js runtime that provides fetch and AbortSignal.timeout (Node 18+). No credentials are requested. If you prefer, run the script in an isolated/project workspace first to inspect the created files.
!
scripts/fetch_daily_json.js:183
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk973an2v928m4zdxsvvs85e7es83tpbp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments