Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
田伯光股票分析
v1.2.0股票深度分析(18维度融合版):基本面估值+实战交易双重视角,支持A股/港股/美股,输出完整9部分飞书文档报告。
⭐ 0· 80·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill purpose (deep stock analysis + producing a Feishu document) is coherent with the instructions (fetch public market data, run an 18-dimension analysis, create a Feishu doc). However, the SKILL manifest declares no required binaries or environment variables while the runtime instructions explicitly call feishu_doc create/read/write and expect access to many public data sources — the manifest omits the Feishu integration and any credential needs, which is an incoherence.
Instruction Scope
SKILL.md instructs the agent to fetch seven categories of data (prices, financials, shareholder lists, announcements, news, technical signals) and to enforce strict validity rules (refuse if completeness <50%). It also mandates calling a Feishu CLI (feishu_doc create/read/write) and performing content verification (block_count, revision_id, content length) and auto-repair. These runtime steps are explicit and scoped to the stated purpose, but they assume network access and a Feishu client/API token — neither is declared. There is no instruction to read local secrets or unrelated files, which is good.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes on-disk footprint and supply-chain risk. The only risk is the implicit runtime dependency on a Feishu client or connector (feishu_doc) and network access to the listed data sources; those are not installed by the skill itself.
Credentials
The runtime requires Feishu document creation, which normally needs API credentials or an authenticated client, but the skill declares no required environment variables / primary credential. This omission is disproportionate: Feishu tokens (or platform-provided connector permissions) should be declared and scoped. The skill also requires access to many public web data sources (Eastmoney, cninfo, Yahoo Finance, HKEX, etc.) — those are appropriate for the stated purpose but imply outbound network access and possible scraping; the manifest should document any credentials or rate-limit considerations.
Persistence & Privilege
The skill does not request always:true and does not require system persistence or modify other skills/config. It only describes creating Feishu documents (user-visible artifacts). Autonomous invocation is allowed by platform default but is not combined here with other high-risk indicators.
What to consider before installing
Key issues to resolve before installing: (1) Clarify Feishu integration: who provides the feishu_doc client and where do Feishu API tokens live? The skill's instructions call feishu_doc create/read/write but the manifest lists no required binaries or env vars — ask the author to declare required binaries and any Feishu_TOKEN / FEISHU_APP_ID credentials and to explain token scope and storage. (2) Confirm network/data access: the skill will fetch multiple public data sources (Eastmoney, cninfo, Yahoo Finance, HKEX); ensure you are comfortable granting outbound web access and check any scraping/terms-of-service issues. (3) Test in a sandbox: run the skill in a controlled environment to observe which endpoints it calls and to confirm it does not attempt to read unexpected local files or secrets. (4) Least privilege: if Feishu credentials are required, provide a dedicated, limited-scope bot/app credential, not broad personal credentials. (5) Ask for provenance: the skill has unknown source/homepage — request author identity, code, or an install spec so you can audit how feishu_doc is provided and how data is fetched. These inconsistencies are explainable (platform connectors could supply feishu integration), but until clarified you should treat the skill as suspicious.Like a lobster shell, security has layers — review code before you run it.
latestvk978faw7q19rsv7sfmczqverv184hrzw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.