Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name and description (monitor holdings' news and alert on important items) match the SKILL.md content: data sources, evaluation rules, alert types, and aggregation are all appropriate for a news-alert skill.
Instruction Scope
The SKILL.md is a high-level policy for monitoring and alerting. It does not instruct the agent to read local files or secrets, but it is open-ended about how to fetch sources and how to deliver alerts (e.g., '消息推送', '主动提醒') — that vagueness gives the agent broad discretion which could lead to scraping or using available connectors without constraints.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk; nothing is written to disk by the skill itself.
Credentials
The skill declares no environment variables or credentials. In practice, monitoring real-time feeds and sending push notifications typically requires API keys or tokens (news APIs, push/service connectors). The absence of declared creds is not malicious but is a gap you should clarify before granting runtime access.
Persistence & Privilege
always is false and the skill is user-invocable with normal autonomous invocation allowed. The skill does not request persistent system-wide changes or modify other skills' configs.
Assessment
This skill appears to do what it says (monitor holdings' news and alert you), but it's high-level and omits implementation details. Before installing or enabling autonomous run: (1) Ask how alerts will be delivered and what connectors or API keys will be required (push service, email, chat webhook) and only supply minimal, scoped credentials. (2) Confirm legal/ethical scraping and rate limits for listed data sources (东方财富、雪球、微博等). (3) Decide whether you want the skill to run autonomously (it can proactively push alerts) or only run on explicit user requests. (4) If the maintainer provides code later, review network calls and any credential handling. If you cannot verify notification endpoints or required credentials, consider running it manually or restricting its permissions until those details are clear.Like a lobster shell, security has layers — review code before you run it.
latestvk97fcbc3zpe40mzkmbyh6z2rpd83rwgf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.