ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

IRS Strategy Development Skill

v0.1.0

This skill should be used when the user needs to write, review, or debug trading strategies using the IRS (SunnyQuant Investment Research System) framework....

0· 125·0 current·0 all-time
byDameng@dameng324
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description and the SKILL.md focus on developing and debugging IRS (SunnyQuant) C# strategies; the large set of reference docs, examples, and table schemas are coherent with that purpose. However, the package also bundles internal network paths, IP addresses (e.g. 192.168.x.x), UNC shares (\\192.168.x.x\...), private NuGet endpoints (nuget.shengguanda.com) and explicit DB connection strings — items that are only appropriate for an internal/enterprise distribution, not a general public skill. The presence of these resources without declaring them as required environment values is unexpected.
!
Instruction Scope
SKILL.md stays on-topic for strategy development and contains actionable instructions (how to create projects, subscribe market data, order flows). But it references environment configuration (DATA_SOURCE_BASE_PATH), suggests installing an internal dotnet template from a private NuGet server, and demonstrates setting a SqlServer connection string. The instructions do not instruct reading arbitrary user files, but they do assume access to internal network storage and databases — scope that may be inappropriate for public use and that could expose sensitive infrastructure details if the skill is shared publicly.
Install Mechanism
There is no install spec (instruction-only), which is low risk in itself. However the package contains 616 files of internal reference material and JSON table schemas embedded in the skill bundle. Packaging/redistributing that much internal documentation (including credentials and internal-host names) increases risk of accidental leakage of sensitive information. No downloaded executables or remote installs were observed.
!
Credentials
The metadata declares no required env vars or credentials, yet the content includes hardcoded connection strings (e.g. SqlServer connection string with User Id=Traders;Password=abcd4321), usernames/passwords for an online data dictionary (szsgdsjk01 / gildata@123), internal Redis and file-share addresses, and a private NuGet source. Those secrets/endpoints are not justified as public requirements of the skill and were not declared in requires.env; this is disproportionate and may leak internal credentials/hosts.
Persistence & Privilege
The skill does not request always:true, does not declare system-wide config modifications, and is user-invocable with normal model invocation. No elevated persistence or privileged flags were found.
Scan Findings in Context
[embedded_internal_connection_string] unexpected: SKILL package references a SqlServer connection example with plaintext credentials: 'Server=192.168.1.129;Database=JYDB;User Id=Traders;Password=abcd4321;Encrypt=false;TrustServerCertificate=True'. This is relevant to connecting to internal research DBs but should not be embedded in a publicly-distributed skill.
[embedded_internal_service_endpoints] unexpected: The references include internal IPs and UNC paths (e.g. \\192.168.1.147\sgd-data\data) and Redis host examples (192.168.1.132:6378). These are plausible for internal documentation but are sensitive for public distribution.
[embedded_credentials_for_documents] unexpected: The jydb.md lists credentials for an online data dictionary (username: szsgdsjk01, password: gildata@123). Credentials embedded in docs are a leakage risk and not appropriate for public packages.
[private_nuget_source_reference] expected: SKILL.md suggests installing a dotnet template from a private NuGet source (https://nuget.shengguanda.com). This is expected for an internal framework but not usable by external users.
What to consider before installing
This skill appears to be internal/enterprise documentation for the IRS (SunnyQuant) system and mostly does what it says — but it contains many internal network addresses and plaintext credentials embedded in the package. Before installing or enabling it: 1) Confirm the publisher/source and ensure you trust them (this is not from a public/verified project). 2) Do not install in an environment where exposing internal hosts or embedded secrets could leak sensitive data. 3) Ask the author for a sanitized version that removes plaintext credentials and internal UNC/IP references; credentials should be provided via secure configuration or environment variables only. 4) If you are an internal user: rotate any credentials found in these files (treat them as potentially leaked) and replace embedded secrets with secure configuration. 5) If you expected a public skill, treat this as suspicious and avoid granting access to any systems until the package is cleaned and the source verified.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b8kzez3xeam3s1f5rbdsvvx83yd3d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments