Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Stock Prediction
v1.0.0自动化股票预测工作流。当用户发送包含股票代码的图片,并提及"预测"、"未来x天"、"采样次数"等关键词时触发。包含:图片中股票代码提取、预测环境检查与自启动、模型版本校验与切换、批量预测脚本执行、结果回传。
⭐ 0· 164·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims end-to-end image→prediction behavior and includes scripts to check/start a local backend, switch models, run batch predictions, and read result files. That broadly matches a local prediction workflow. However, the SKILL.md promises image stock-code extraction but none of the provided scripts perform OCR or image parsing — that functionality is missing from the bundle. The code is also tightly tied to a Windows Administrator Desktop path and a specific conda environment, which is a strong environmental assumption that may not match users' systems.
Instruction Scope
Runtime instructions explicitly tell the agent to create folders under C:\Users\Administrator\Desktop\kronos, start/ensure a local service via localhost:8000, activate a conda env, run batch_predict.py, and read result files to send to the user. These actions stay within the claimed purpose (local prediction), but they require the agent to run local commands, spawn processes, and write files to a specific Administrator directory — operations that have real side effects and should not be executed on a machine you don't control or without verifying the backend code.
Install Mechanism
No install spec / no external downloads. The skill is instruction-first and ships three helper scripts. Nothing in the manifest downloads arbitrary code or uses third-party registries.
Credentials
The skill requests no environment variables or external credentials, and makes only localhost HTTP calls. That is proportionate. However, it hardcodes sensitive-looking local paths (Administrator Desktop) and a conda environment name; these assumptions elevate risk if run with elevated privileges or on a multi-user host. Also the skill will spawn processes (python main.py) and could run arbitrary code present in the local backend.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings in the provided files. It does, however, start a local service process and launch commands while running, which is expected for a local workflow but is an action with privilege implications at runtime.
What to consider before installing
This skill will run local commands (conda activate, python main.py, batch_predict.py), start processes, call localhost:8000, and read/write files under C:\Users\Administrator\Desktop\kronos. Before installing or running it: 1) Verify where image OCR/stock-code-extraction is implemented (the provided scripts don't do OCR); 2) Inspect the backend code (main.py, batch_predict.py) that the skill will start — those files are not included here and could perform arbitrary actions; 3) Do not run on a production or sensitive host — test inside an isolated VM or sandbox first; 4) Update hardcoded paths and conda environment names to point to a non-privileged, known directory or use a dedicated user; 5) Ensure you trust the source (no homepage/unknown owner) and consider firewalling localhost:8000 or monitoring outbound connections while testing. The package is coherent for a local workflow but missing components and hardcoded assumptions make it risky without further review.Like a lobster shell, security has layers — review code before you run it.
latestvk9739cnbgnyf8hbk1nhd971a2x833hxc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.