Investment Daily Report
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: investment-daily-report Version: 1.0.0 The skill bundle is a legitimate financial report generator that collects market data for A-shares, HK, and US stocks. The core logic in `scripts/generate_report.cjs` uses standard Node.js HTTP modules to query a financial API via a local gateway (localhost:19000) and writes the formatted results to a Markdown file. There is no evidence of data exfiltration, unauthorized file access, or malicious intent in the code or instructions.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill executes the bundled script on the user's machine and creates a report file.
The skill asks the user to run an included Node.js script. This is central to the stated report-generation purpose, but it is still local code execution.
node scripts/generate_report.cjs
Run it only if you are comfortable executing the included script, and choose output paths carefully.
The external data provider can receive the report's market-data query topics.
The script sends financial search queries through a local gateway to a remote NeoData endpoint. This is disclosed and purpose-aligned, and the code sends fixed market-query text rather than local files or credentials.
hostname: 'localhost', port: 19000, path: '/proxy/api', ... 'Remote-URL': 'https://jprx.m.qq.com/aizone/skillserver/v1/proxy/teamrouter_neodata/query'
Use the skill only when external financial-data queries are acceptable for your workflow.
Users may have less certainty that the registry metadata fully reflects the bundled code version.
The bundled script and changelog identify version 1.2.0, while registry metadata lists version 1.0.0 and the source/homepage are unknown. This is a provenance/versioning inconsistency, not evidence of malicious behavior.
// 投研日报生成器 v1.2.0
Review the included script before use and prefer a package with synchronized version metadata and a clear source repository.