ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

股票全面分析v3

v3.0.0

股票全面分析 v3.0 - 港股/美股/A股 + 富途数据源 + 技术指标(RSI/MACD) + 多源新闻 + 财报分析 + 7大板块报告

0· 108·0 current·0 all-time
by@gaoren36-arch
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code: the repository implements market quotes, technical indicators, news aggregation and financial analysis for HK/A/US markets and calls reasonable external data endpoints (qt.gtimg.cn, finnhub.io, futunn.com, ai.6551.io, eastmoney search, etc.). Declared requirement 'python' is correct. SKILL.md declares 'browser' capability (for futu scraping) although most code uses HTTP requests; the browser capability is plausible but not strictly required by many files.
!
Instruction Scope
Runtime instructions and code make outgoing network calls to multiple third‑party services for quotes and news (expected for this skill) but also access environment variables and include test scripts that try to read tokens (e.g., LONGBRIDGE_ACCESS_TOKEN). The SKILL.md does not declare those env vars. Multiple files embed a hard-coded Finnhub API key and the main Python modules will use an environment override (FINNHUB_API_KEY) if present — this mismatch between declared requirements and actual runtime behavior is concerning and should be reviewed.
Install Mechanism
No install spec; code is instruction-and-script based and relies on Python and requests. That is low risk from an install-download perspective (nothing is pulled from arbitrary URLs at install time).
!
Credentials
No required env vars were declared, yet code contains a hard-coded Finnhub key ('d6nucg1r01qse5qn5e90d6nucg1r01qse5qn5e9g') used in many files (analyze_stock.py, company_info.py, report_v2.py, report_v3.py, jd_logistics.py, test_stock.py, stock_analyst.py default fallback). Some test files also read LONGBRIDGE_ACCESS_TOKEN from the environment. Asking for or embedding API keys without declaring them is disproportionate and may expose a leaked/shared key or cause unexpected network access; the skill should instead declare required credentials and document how keys are used.
Persistence & Privilege
Skill is not 'always' included and is user-invocable. It does not request elevated or cross-skill configuration, and there is no install-time modification of other skills or system settings observed.
Scan Findings in Context
[HARDCODED_API_KEY_FINNHUB] unexpected: Multiple files contain a hard-coded Finnhub API token string. While the skill legitimately needs market-API access, embedding a secret in code instead of using a declared env var is unexpected and raises concerns about key ownership and misuse.
What to consider before installing
What to consider before installing/using this skill: - Hard-coded API key: The code contains a Finnhub API token baked into many scripts. That may be a demo/shared key or a leaked secret; do not assume it's safe. Prefer replacing it with your own FINNHUB_API_KEY stored in environment variables and confirm the key's permissions and rate limits. - Undeclared environment usage: Some test scripts reference LONGBRIDGE_ACCESS_TOKEN and the main code will use FINNHUB_API_KEY if present — but the SKILL metadata declares no required env vars. Expect the skill to access network endpoints; review which tokens you provide. - Network access: The skill makes many outgoing HTTP requests to third-party services (qt.gtimg.cn, finnhub.io, futunn.com, ai.6551.io, eastmoney search, longbridge APIs). Run it in a sandbox or with network monitoring if you are cautious. - Remove or inspect test scripts: Several test_* and debug_* files perform additional API calls and could be run accidentally. Consider removing or auditing them before execution. - Source trust: The package lists an unknown source and no homepage. If possible, obtain the code from a trustworthy upstream (or contact the author) and verify the provenance. If you want to use this skill safely: run it in an isolated environment, set your own API keys via environment variables (do not rely on the embedded key), and remove or disable test/debug scripts that you do not need.

Like a lobster shell, security has layers — review code before you run it.

latestvk97491r4qgyzzgygrzgkv90fzs836pxr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython

Comments