港股美股分析
Security checks across malware telemetry and agentic risk
Overview
The skill does not show malware, but it can present stock advice as reliable while some indicators are generated from simulated/random data and some provider/credential use is under-disclosed.
Review this skill before relying on it for investment decisions. Verify the actual data source, treat any buy/sell advice as non-authoritative, avoid running test scripts with brokerage tokens present, and be aware that stock queries may be sent to third-party APIs.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could place undue trust in buy/hold/risk advice that is partly based on simulated data rather than real historical market data.
The report generator creates simulated random price history for technical indicators and then prints an operation recommendation, while the skill is marketed as real-time technical stock analysis.
生成模拟历史数据进行计算 ... variation = random.uniform(-0.03, 0.03) ... print(f" * {recommendation}")Treat reports as informational only; require the skill to clearly label simulated indicators, use real historical data for RSI/MACD/MA calculations, and verify recommendations independently.
Users may believe the analysis is based on the advertised Futu source and verified accuracy when the runnable quote code often uses a different provider.
The main Hong Kong quote path uses Tencent's qt.gtimg.cn endpoint, while SKILL.md prominently claims Futu is the primary, verified accurate HK data source.
url = f'https://qt.gtimg.cn/q=hk{code}'Ask the publisher to align the description with the actual data sources and disclose which provider is used for each report.
Third-party data providers can see the stock symbols the user asks about.
User-requested stock symbols are sent to an external market-data provider, which is expected for this purpose but may reveal investment interests.
url = f'https://finnhub.io/api/v1/quote?symbol={code}&token={FINNHUB_KEY}'Avoid entering highly sensitive portfolio details unless you are comfortable with the listed providers receiving stock-query metadata.
If a Longbridge token is present in the environment and the test script is run, it will be used for API access.
A test script optionally reads a Longbridge access token and sends it to the Longbridge quote API; this credential use is not declared in the registry metadata, though the script exits if no token is present and only shows quote requests.
token = os.environ.get('LONGBRIDGE_ACCESS_TOKEN') ... 'Authorization': f'Bearer {token}'Do not run test scripts with brokerage tokens in the environment unless you have reviewed the code and confirmed the token scope is limited.
Users who follow the README may install code or dependencies outside the reviewed package context.
The README documents an external clone and unpinned package installation, while the registry has no install spec. This is user-directed setup, not automatic execution.
git clone https://github.com/gaoren36-arch/stock-analyst.git ... pip install requests
Install only from trusted sources, review the repository before cloning, and prefer pinned dependency versions.