ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

LG Data Stock Monitor

v1.0.2

LG Data 量化数据平台 - 自动盯盘、免Token自主运行策略。支持A股/H股实时行情、分钟线数据、飞书/微信Webhook推送。一句话创建监控任务,云端7x24小时运行,策略触发毫秒级通知。关键词:量化、盯盘、股票监控、自动化交易、实时数据、飞书推送、微信提醒、Serverless量化、无服务器策略运行、...

0· 63·0 current·0 all-time
by@guangfuwu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to provide cloud stock monitoring and the included scripts call a remote LG Data API (endpoints like /agent/skills/execute, /agent/skills, /api/agent/approvals). That behavior matches the stated purpose. However the registry metadata reported no required env vars while the SKILL.md and scripts require LG_AGENT_BASE_URL and LG_AGENT_TOKEN (or cookie/CSRF) — this mismatch is an incoherence to be aware of.
!
Instruction Scope
SKILL.md instructs users to set LG_AGENT_BASE_URL and LG_AGENT_TOKEN and to run the provided scripts. The scripts only perform HTTP requests to the configured base URL and do not read arbitrary files or other system secrets, but they will POST whatever JSON you pass to /agent/skills/execute and can perform approval actions (approve/reject). Because the skill will transmit user-supplied JSON and authorization credentials to the remote host, confirm you trust the host before providing credentials.
Install Mechanism
No install spec; this is instruction-only with small helper scripts. Nothing is downloaded or written beyond the included files, which lowers installation risk.
!
Credentials
The scripts and SKILL.md require LG_AGENT_BASE_URL and LG_AGENT_TOKEN (with fallbacks to LG_AGENT_COOKIE_HEADER and LG_AGENT_CSRF_TOKEN). The registry metadata (Requirements section) lists no required env vars — this discrepancy is concerning because the skill will not function and will error unless you supply sensitive credentials that were not declared in the registry. Other than that, the requested variables are proportional to the described API interaction (a bearer token or session cookie is expected).
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system settings, and does not require persistent presence beyond normal operation. Autonomous invocation is allowed by default (normal), but no extra privileges are requested.
What to consider before installing
This skill is generally consistent with a remote cloud stock-monitoring service: the bundled scripts call a user-configured LG Data API and require a bearer token or session cookies. However the registry metadata fails to declare the required environment variables (LG_AGENT_BASE_URL, LG_AGENT_TOKEN, and optional LG_AGENT_COOKIE_HEADER / LG_AGENT_CSRF_TOKEN). Before installing or using it: - Only provide LG_AGENT_TOKEN or cookie/CSRF to this skill if you trust the LG Data service and the domain (default https://lg-data.cc). Verify the service's authenticity independently. - Prefer creating a scoped/revocable token on the platform (not your primary account password) so you can revoke it if needed. - Be aware the scripts will POST any JSON you supply to the remote endpoint (including write/approval actions). Avoid sending other secrets in those JSON bodies. - If unsure, run the scripts in an isolated environment and inspect network traffic, or contact the skill author/homepage (none provided) for provenance. The metadata mismatch lowers confidence — treat the skill as suspicious until you verify the endpoint and token handling.

Like a lobster shell, security has layers — review code before you run it.

latestvk979q0nyn9qwx6rrsskpk0dt6d843yq8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments