A 股投资决策助手
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its stock-report purpose, but it runs an unbundled helper from the shared workspace while handling portfolio data, so it should be reviewed before installation.
Before installing, inspect ~/.openclaw/workspace/shared_memory_loader.py because this skill imports and runs it. Also confirm the holdings in SHARED_MEMORY.md are accurate, understand that stock tickers are queried through qt.gtimg.cn, and keep generated decision reports private.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If ~/.openclaw/workspace/shared_memory_loader.py is unexpected or modified, code outside this reviewed package could run when the skill starts.
The skill prepends a local shared workspace directory to Python's import path and imports shared_memory_loader, but that helper is not included in the provided file manifest or declared as an installation requirement. Python imports execute module top-level code, so this introduces unreviewed code execution from outside the packaged skill.
sys.path.insert(0, str(Path.home() / ".openclaw" / "workspace")) from shared_memory_loader import get_latest_holdings
Bundle and review the loader with the skill, or parse SHARED_MEMORY.md directly with narrow file-reading code. Users should inspect the exact shared_memory_loader.py file before running this skill.
Incorrect or poisoned holdings data could produce misleading stop-loss, take-profit, or position-management recommendations, and generated reports may expose portfolio details to anyone with local access.
The skill bases its recommendations on shared-memory holdings and then stores a report locally. This is aligned with the skill purpose, but shared memory and generated reports can contain sensitive or stale portfolio information.
holdings = get_latest_holdings() ... output_dir = Path.home() / ".openclaw" / "decisions" ... f.write(report)
Verify SHARED_MEMORY.md before using the report, keep generated decision files private, and treat the output as informational rather than automatic investment advice.
The market-data provider can observe which stock codes are queried from the user's environment.
The skill calls an external quote API for each stock symbol. This is expected for real-time pricing, but the specific provider and the fact that portfolio tickers are sent externally are not clearly highlighted in the metadata.
url = f"https://qt.gtimg.cn/q={symbol}"
response = requests.get(url, headers=headers, timeout=5)Disclose the quote provider clearly and avoid running the skill if revealing portfolio tickers to that provider is unacceptable.