ClawHub

"InvAssistant"

v1.1.0

Investment portfolio trading signal checker based on a "Three Red Lines" entry system and a multi-layered exit system (take-profit, stop-loss, trend-break, m...

1· 198·0 current·0 all-time
by@haiyangchenbj
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the code and README: the package fetches Yahoo Finance data, applies the described 'three red lines' entry rules and multi-layer exit engine, formats reports, and can push to WeChat Work / DingTalk / Feishu webhooks. Required binary (python3) and listed Python dependencies are appropriate for the task.
Instruction Scope
SKILL.md instructs the agent to read/write invassistant-config.json, run provided Python scripts (portfolio_checker, init_config, etc.), and optionally push results to configured webhooks. This is expected, but the skill will transmit report data to any webhook URL you configure — review webhook destinations before enabling push. The README also describes deploying an outgoing-webhook receiver (external HTTP endpoint) if you want bot triggers; that is an optional integration the user must set up and is not performed by the skill itself.
Install Mechanism
No install spec pulls arbitrary binaries from external hosts. The repo includes code files and a lightweight requirements.txt (requests, pandas). The recommended install is pip install -r requirements.txt, which is proportional and traceable.
Credentials
The registry metadata declares no required env vars, which aligns with the skill storing webhook URLs/secrets in invassistant-config.json (or optionally in environment vars named WECOM_WEBHOOK_URL, DINGTALK_WEBHOOK_URL/SECRET, FEISHU_WEBHOOK_URL/SECRET). Requesting webhook secrets is proportional to pushing messages, but users should be aware secrets may be stored in plaintext config if they follow the default workflow.
Persistence & Privilege
always is false and disable-model-invocation is false (normal). The skill does not request permanent platform-wide privileges or modify other skills; it runs as a user-level tool invoked by commands or schedule as described.
Assessment
This skill appears to do exactly what it claims: fetch Yahoo Finance data, evaluate entry/exit rules, and optionally post reports to group chat webhooks. Before installing or using it: 1) Review and, if necessary, run the code in an isolated environment (virtualenv/container) and inspect the send_* scripts to confirm webhook behavior. 2) Only configure webhook URLs/secrets for destinations you trust — any configured webhook will receive report content. 3) Be aware the default config file (invassistant-config.json) may store secrets in plaintext; prefer environment variables or protect the file. 4) If you plan to enable automatic triggering (outgoing webhook receiver), host the receiver on a secured endpoint and validate incoming requests. 5) Install Python dependencies in a virtualenv and verify network access policies if you need to limit outbound connections. If you want me to, I can scan the full contents of the send_* scripts or highlight exactly what data is sent to webhooks.

Like a lobster shell, security has layers — review code before you run it.

latestvk9755pq8yfx29gv79jmcfnkkfd82rcj9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3

Comments