ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Stock Analyzer | 股票深度分析

v1.0.0

输入股票代码,深入分析财务数据、估值、护城河,生成投资分析报告

0· 84·0 current·0 all-time
by@jearrylee
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description match the instructions: gathering financial data, analyzing valuation and moat, and producing reports. Data sources named (东方财富/新浪/公司年报/Wind) are appropriate for a stock analysis skill.
Instruction Scope
SKILL.md confines actions to fetching public financial data (exec + curl, web_fetch, browser) and producing a structured report. However, it explicitly instructs use of 'exec + curl' (shell execution) which, while reasonable for HTTP requests, grants the agent the ability to run arbitrary shell commands if implemented without proper sandboxing — monitor how exec is implemented in the runtime.
Install Mechanism
Instruction-only skill with no install spec and no code files. Nothing will be written to disk by an installer; lowest install risk.
Credentials
The skill requests no environment variables or credentials, which is proportionate. Minor inconsistency: it names Wind (a paid/data-provider) as a source but does not request credentials or explain how to access paid APIs — likely expects public scraping. If you intend it to use paid APIs, credentials will be needed and should be provided securely.
Persistence & Privilege
always:false and no install/persistence actions. The skill does not request permanent presence or system-wide configuration changes.
Assessment
This skill is coherent for doing stock analysis and appears to only rely on web data. Before installing or enabling it: (1) confirm the runtime sandboxing for shell exec (the SKILL.md asks for 'exec + curl' — ensure the agent cannot run arbitrary host commands you don't expect); (2) know that scraping public sites can produce incomplete or brittle data, and 'Wind' is a paid source (no credentials are declared); (3) avoid supplying any unrelated secrets or API keys unless you understand how they will be used; (4) treat reports as informational only (the skill already includes a disclaimer). If you need use of paid data/APIs, ask the author to declare required credentials and expected endpoints explicitly.

Like a lobster shell, security has layers — review code before you run it.

latestvk97876qsv093wm55sn2aa49scx83r3n9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments