new-stock-analyzer
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: new-stock-analyzer Version: 1.0.2 The 'new-stock-analyzer' bundle is a comprehensive tool designed to fetch, validate, and analyze A-share IPO data from sources like EastMoney and CFI. The code demonstrates high-quality modular design, including multi-source data validation, automated reporting, and local caching mechanisms. While the bundle includes scripts for persistence (setup_cron.sh) and system resource monitoring (openclaw_daily.sh), these behaviors are explicitly documented and aligned with the tool's stated purpose of providing automated daily stock analysis. No evidence of data exfiltration, malicious prompt injection, or unauthorized remote access was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing dependencies can change the local Python environment and relies on package provenance.
The skill asks users to install Python dependencies locally. This is expected for a Python data-fetching tool, but the registry metadata lists the source as unknown and no homepage, so dependency provenance should be checked.
pip3 install -r requirements.txt
Install in a virtual environment and review requirements.txt before use.
If enabled, the tool may run every day and send notifications until the cron entry is removed.
The skill documents optional cron-based daily execution and notification. This is disclosed and user-directed, but it is still persistent background behavior.
定时任务: 每日自动分析并推送结果 ... bash scripts/setup_cron.sh ... 0 10 * * * cd /path/to/new-stock-analyzer && bash scripts/openclaw_daily.sh
Only enable the scheduled task if you want daily runs, and review/remove the cron entry when no longer needed.
Running the skill will make network requests to third-party financial-data providers.
The code contacts an external market-data site to fetch IPO data. This matches the stated dual-source stock-analysis purpose and does not show credential or private-data transmission.
self.base_url = 'https://newstock.cfi.cn/' ... response = self.session.get(self.base_url, timeout=15)
Use it only in environments where outbound market-data requests are acceptable.
Some security or reliability claims may be stronger than the shown implementation guarantees.
One provided data-source configuration uses plain HTTP, while SKILL.md broadly claims data transmission uses HTTPS. The affected data appears to be public market data, so this is a disclosure/reliability note rather than evidence of exfiltration.
'url': 'http://datacenter-web.eastmoney.com/api/data/v1/get'
Treat analysis and recommendations as informational, verify data independently, and prefer HTTPS data sources where available.