jun-invest-option-master (DEPRECATED)
v0.99.0DEPRECATED. Use jun-invest-option-master-agent.
⭐ 0· 412·0 current·0 all-time
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The registry SKILL.md simply says 'DEPRECATED' and points to another skill, but the published bundle includes a complete invest_agent app (prompts, adapters, assembler/validator, and many scripts). That makes the published content far larger and more operational than the minimal 'deprecated' message implies. The included adapters (Futu, yfinance, stooq) and network access are coherent with an investment agent, but presence of installer scripts and hard-coded user workspace paths (e.g., /Users/lijunsheng/.openclaw/workspace-jun-invest-option-master) is unexpected for a simple deprecation notice.
Instruction Scope
While SKILL.md is minimal, other runtime docs (agent/AGENTS.md, BOOTSTRAP.md, SOUL.md) explicitly instruct automated behaviors: treat specific user utterances like 'upgrade agent' as a command to run a fixed upgrade sequence (clawhub update, run scripts/install.sh, openclaw agents add, possibly restart gateway). Those instructions ask the agent to execute shell-level operations and to sync/install code into user workspaces without additional user confirmation, which expands scope beyond mere read-only assistance. The docs also reference modifying system services (setup-launchd.sh) and installer scripts that can change files on disk.
Install Mechanism
There is no formal install spec in the registry, but the repository includes multiple installer and setup scripts (scripts/install.sh, auto-install.sh, setup-launchd.sh, setup-runtime-git.sh, publish.sh). Running those scripts could write files, configure launchd jobs, or change the OpenClaw workspace. Because the registry claims 'no install spec' while shipping runnable installers, an agent following repo instructions might execute arbitrary local changes. The scripts are local (not remote downloads), but their actions should be audited before execution.
Credentials
The skill declares no required environment variables or credentials, yet the code integrates with futu-api (broker/OpenD) and yfinance and expects a local OpenD (127.0.0.1:11111) and Python packages (futu-api, yfinance). The project documentation says secrets won't be bundled and should be provided via environment or local config, but the registry metadata does not declare those env vars. Hardcoded example paths and owner fields (owner: shengge; /Users/lijunsheng) are present, which is inconsistent and could cause surprising behavior if installer scripts assume those paths.
Persistence & Privilege
The skill is not marked always:true, and is user-invocable (normal). However the repo contains scripts capable of making persistent system changes (e.g., setup-launchd.sh) and AGENTS.md defines an automatic 'upgrade' trigger that, if followed by an agent runtime, would execute installer steps. That combination increases the potential blast radius if the agent is allowed to run commands derived from this skill; it's not automatically privileged by registry flags, but it contains code that can request persistence.
What to consider before installing
This package is inconsistent: the short SKILL.md marks it DEPRECATED, but the bundle contains a full invest-agent app with installer scripts and explicit instructions to run upgrade/install commands. Before installing or running anything: 1) do not run scripts/install.sh or setup-launchd.sh unreviewed — open them and inspect what they do; 2) watch for hardcoded paths (/Users/lijunsheng...) and adjust to your environment; 3) verify any network/broker integrations (futu-api expects a local OpenD and possibly credentials) and never paste secrets into repo files; 4) prefer the recommended replacement skill (jun-invest-option-master-agent) if available; 5) if you must test, run inside a sandbox or disposable VM and avoid running installer scripts as root. If you want, I can summarize the contents of specific scripts (install.sh, setup-launchd.sh, publish.sh) or highlight exact lines that modify system files so you can audit them quickly.Like a lobster shell, security has layers — review code before you run it.
latest
DEPRECATED: jun-invest-option-master
此 skill 已废弃。
请改用:jun-invest-option-master-agent
Comments
Loading comments...