Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Akshare Integrated
v1.0.0基于AKShare实时数据,智能评分和动态权重调整,提供多市场多维度股票选股与风险控制建议。
⭐ 0· 243·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to integrate AKShare for real-time stock selection, and the declared dependencies (akshare, pandas, numpy) are consistent with that purpose. However, the SKILL.md repeatedly references a CLI 'stock-selector-akshare' and a Python module 'stock_selector_akshare' (and an HTTP API at localhost) that are not included, published, or installed by the instructions—there is no install spec or package name that would provide those artifacts. That mismatch means a user following the instructions will not get the advertised CLI/module unless they obtain additional code from elsewhere.
Instruction Scope
Instructions focus on fetching data via AKShare and computing scores, which is within scope. They do not request unrelated files or secrets. Concern: instructions assume running a local service and a CLI/module without giving installation/source for that service, and leave implementation details vague (caching, backup sources, API endpoints). This ambiguity could lead the operator to install third-party code from unknown sources.
Install Mechanism
There is no formal install spec in the skill bundle; SKILL.md suggests 'pip install akshare pandas numpy'. Installing packages from PyPI is typical but executes code from external registries—expected for this purpose but still a security consideration. Importantly, the SKILL.md does not provide any package or repository for the 'stock-selector-akshare' CLI or the 'stock_selector_akshare' Python module, so the bundle itself supplies no runtime artifacts.
Credentials
The skill requests no environment variables, credentials, or config paths. Nothing in the documentation asks for unrelated secrets. This is proportionate to the stated purpose.
Persistence & Privilege
The skill does not request 'always: true', does not include install-time scripts in the bundle, and does not declare modifying other skill or system configuration. It requires no persistent privileges within the agent manifest.
What to consider before installing
This SKILL.md describes a useful AKShare-based stock selector but is missing the actual CLI/package/server that the examples call (stock-selector-akshare and stock_selector_akshare). Before installing or running anything: 1) Ask the publisher for the authoritative source (PyPI package name, GitHub repo, or published binary) that provides the CLI/module and the service API; 2) verify the source code or release artifact and its integrity (review repository, maintainers, and recent commits); 3) avoid blindly running 'pip install' in a production environment—install in an isolated environment (virtualenv/container) and inspect dependencies; 4) if you must run a local API server, ensure it’s from a trusted repository and run with least privilege and network restrictions; 5) confirm licensing, data sources, and rate limits for AKShare usage. The main issue here is incoherence (missing runtime artifacts), not explicit malicious behavior, but that gap increases risk if you search for and install third-party code to fill it.Like a lobster shell, security has layers — review code before you run it.
latestvk97ebvtmxjbj9wah45j62cfs3582x866
License
MIT-0
Free to use, modify, and redistribute. No attribution required.