Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
A股每日简报
v1.0.1A股每日简报生成器。基于东方财富免费公开数据,一键生成大盘指数、板块涨跌、涨跌幅榜等简报。 中文优先,无需API Key,开箱即用。 当用户说"A股"、"今日行情"、"大盘指数"、"股票"、"今日A股"时触发。 Keywords: A股, 股票, 行情, 大盘, 涨跌, 东方财富, 简报.
⭐ 0· 74·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, SKILL.md instructions and the included script are consistent: the code fetches A‑share index, sector and top movers from EastMoney (push2.eastmoney.com) and formats a brief. No unrelated credentials, binaries, or services are requested.
Instruction Scope
SKILL.md instructs running the included script in place; the script only makes outbound HTTPS requests to EastMoney and prints/returns JSON/text. However, the fetch_json() function contains an SSL downgrade path that disables hostname checking and certificate verification on SSL errors (ctx.check_hostname = False; ctx.verify_mode = ssl.CERT_NONE). That weakens TLS guarantees and could allow fetched data to be tampered with by a local/network attacker. Also the WORKSPACE constant is defined but unused (minor hygiene issue).
Install Mechanism
No install spec and no third‑party dependencies; the script uses only the Python standard library. This is low risk from an install/third‑party package perspective.
Credentials
The skill requests no environment variables, no credentials, and does not read config paths. The script does not exfiltrate secrets or access unrelated system configurations.
Persistence & Privilege
The skill does not request always:true, does not modify system or other skills, and is user-invocable only. It makes outbound network requests when run but otherwise has no persistent privileges.
What to consider before installing
This skill appears to do what its description says (fetching public stock data from EastMoney and formatting a brief). The primary concern is the script's TLS fallback: it disables certificate verification when an SSL error occurs, which can allow a man‑in‑the‑middle to return altered data. Before installing or running it, consider one of: (1) remove the SSL‑downgrade branch so failures are surfaced and TLS is enforced; (2) implement certificate pinning or stricter validation; or (3) run the script in a sandboxed environment/network that you trust. Also review the code yourself (it's short) and confirm you are comfortable allowing outbound HTTPS calls to push2.eastmoney.com. If you need high assurance of data integrity for trading or automation, do not run this in production until TLS verification is restored.Like a lobster shell, security has layers — review code before you run it.
a-sharevk97brkswr8vyvfy6dm5yhrm18s84tg06briefvk97brkswr8vyvfy6dm5yhrm18s84tg06chinesevk97brkswr8vyvfy6dm5yhrm18s84tg06financevk97brkswr8vyvfy6dm5yhrm18s84tg06latestvk971qsrk5qj65hq7js6re961v984zsbsmarketvk97brkswr8vyvfy6dm5yhrm18s84tg06stockvk97brkswr8vyvfy6dm5yhrm18s84tg06
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📈 Clawdis