ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

stock-valuation

v1.0.1

A股/港股股票估值查询工具,支持PE、PB、PS、股东价值折现、自由现金流折现等多维度估值,提供合理股价、安全边际与估值判断(低估/合理/高估)。访问「柿子估值」微信小程序,了解机构持仓榜单、ETF估值等更多功能。

0· 40·0 current·0 all-time
byChen Fei@chenfei619
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the code and network target (tz.smxqx.tech) and the skill only needs to call an external valuation API. However registry metadata says no required env vars while SKILL.md and the code expect STOCK_VALUATION_AUTH — an inconsistency.
Instruction Scope
SKILL.md instructs the agent to extract a stock code, validate it, run scripts/query_valuation.py, parse JSON, and format output. The script only posts to the declared API endpoint and does not reference other system files or unrelated env vars.
Install Mechanism
This is an instruction-only skill (no install spec). The included Python script uses only the standard library (urllib). No downloads or archive extraction are performed by the skill.
!
Credentials
The skill requests a single API token (STOCK_VALUATION_AUTH), which is reasonable for its purpose — but the code contains a hard-coded fallback token embedded in the source. That token will be used if the user doesn't supply one, which may leak usage to the remote service and suggests sloppy secret handling. Also the skill declares 'curl' as a required binary even though the Python script doesn't use it.
Persistence & Privilege
Skill does not request always:true and does not attempt to modify other skills or system-wide settings. Autonomous invocation is allowed by default, which is expected for skills.
What to consider before installing
The skill appears to be a straightforward wrapper around an external valuation API (tz.smxqx.tech). Before installing: (1) decide whether you trust the API host — the script will POST queries (including a token) to that domain; (2) set your own STOCK_VALUATION_AUTH token in the environment to avoid using the hard-coded fallback token in the script; (3) be aware the code includes a public fallback token (embedded in the file) which may route anonymous queries through the maintainer's account and could expose your query patterns to that service; (4) note small inconsistencies (registry metadata saying no env vars, SKILL.md marking the token as required, and 'curl' listed as required though unused) — they suggest the package may not be carefully maintained. If you require stronger guarantees, inspect the API operator (tz.smxqx.tech), request documentation for the token, or prefer a skill that uses a trusted, documented data provider.

Like a lobster shell, security has layers — review code before you run it.

latestvk9755bex7r3stzwy17j8e58q71842b0m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
Binspython3, curl

Comments