Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
trading-monitor
v1.2.0盘中股票盯盘定时任务管理。创建、配置和管理A股交易时段的自动分析任务,包括定时行情播报、深度分析、收盘前最终分析。使用场景:设置盯盘、调整分析频率、查看任务状态、停止/启动任务。触发词:盯盘、设置分析、开盘监控、调整频率、盯盘任务。
⭐ 0· 80·0 current·0 all-time
bychangle@cle87937-code
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Skill claims to manage scheduled A-share analysis tasks which fits the openclaw cron usage shown, but the SKILL.md repeatedly references local scripts (scripts\setup.ps1, scripts\manage.ps1) that are not included in the package or install spec. The skill also refers to pushing results to channels (feishu) and target IDs yet does not declare or request any channel/API credentials. Requesting or assuming access to messaging channels without declaring how credentials are provided is inconsistent with the stated purpose.
Instruction Scope
Instructions tell the agent/user to run PowerShell deployment and management scripts and to change a gateway-wide setting (`openclaw config set tools.exec.security full`). Asking operators to relax exec allowlist is a scope-expanding action that affects platform security. The messages passed into cron tasks instruct the agent to fetch news, query holdings, analyze markets and send reports — which is within purpose — but because the scripts that implement these steps are absent, it's unclear what code will actually run when the user follows these steps.
Install Mechanism
There is no install spec and no included executable scripts. The SKILL.md expects local scripts under scripts\ but those files are not present in the manifest. That gap means users must obtain scripts from an unspecified external source before deployment — a risky, untracked step.
Credentials
The skill references notification channels (feishu) and target IDs which normally require API tokens or integration credentials, but requires.env and primary credential are empty. That mismatch suggests the skill will need secrets/configuration that are not declared. Additionally, the guidance to set exec security to 'full' broadens what cron tasks can execute and may enable actions beyond the stated monitoring purpose.
Persistence & Privilege
The skill is not always: true, but it instructs creating recurring cron jobs in the platform and explicitly recommends changing gateway exec security; combined, these create persistent automated tasks that can execute system commands. The skill does not modify other skills, but asking operators to relax a global security policy is a noteworthy privilege escalation risk.
What to consider before installing
This skill's goal (automated intraday stock analysis) is reasonable, but there are gaps and risky suggestions you should resolve before installing. Specifically: 1) The SKILL.md references deployment and management scripts (scripts\setup.ps1, scripts\manage.ps1) that are not included — ask the publisher where these come from and inspect them before running. 2) The skill suggests changing the gateway exec policy to 'full' — avoid relaxing global exec allowlists unless you have audited the scripts and understand the implications. 3) The skill expects to push messages to channels like Feishu but does not declare required API tokens or how secrets are stored; confirm which credentials are needed and grant the minimum scope. 4) Treat any one‑click deployment script obtained from an external source as untrusted until reviewed; run in a sandbox or staging environment first. If you cannot obtain the missing scripts or a trustworthy source, do not enable the cron tasks or change exec security.Like a lobster shell, security has layers — review code before you run it.
a-stockvk972tvjv14h2ee9rt82ed875qh83pafxcronvk972tvjv14h2ee9rt82ed875qh83pafxlatestvk972tvjv14h2ee9rt82ed875qh83pafxmonitorvk972tvjv14h2ee9rt82ed875qh83pafxtradingvk972tvjv14h2ee9rt82ed875qh83pafx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.