ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

A Stock N Pattern

v1.0.9

🚀 A股强势股捕捉器 - 基于 N字型态 经典技术指标,实时筛选放量突破个股。

0· 341·2 current·3 all-time
by@jinboh68-prog
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to fetch real-time N‑pattern signals from a backend API and charge 0.01 USDC per call; SKILL.md, skill.json, and the included api.py all reference the same project/recipient wallet, so overall capability lines up with the description. However, the packaged api.py is a small local FastAPI that returns static example signals (no real datasource calls), while SKILL.md claims data comes from 东方财富/同花顺 etc. This difference suggests the included code is a stub/example rather than the actual data provider.
!
Instruction Scope
SKILL.md instructs the agent to call an external endpoint and perform an x402 payment (0.01 USDC) but does not explain how to perform x402 payments or what credentials/authorization the agent needs. The endpoint path in SKILL.md (/n) does not match routes defined in api.py (/signals, /n-pattern). Instructions are otherwise narrowly scoped to requesting the API and presenting results, but the payment step is vague and grants the agent broad discretion unless the platform enforces x402 handling.
Install Mechanism
There is no install spec (instruction-only style). The presence of a small api.py and skill.json is low risk because nothing is automatically installed or downloaded by the skill. No external installers or downloads are present.
!
Credentials
The skill requires a monetary payment to a third‑party wallet (0x1a9275EE18488A20C7898C666484081F74Ee10CA on Base) but declares no required environment variables or credentials. If the agent/platform is expected to perform on‑chain payments, it would need wallet access/credentials that are not declared here. Users should note this skill will incur real charges to a specific external wallet and the mechanism for paying is unspecified.
Persistence & Privilege
always is false, there is no install script, and the skill does not request system‑wide configuration or other skills' credentials. It does not request persistent placement or elevated privileges.
What to consider before installing
This skill appears to do what it says (return N‑pattern stock picks) but has several unclear points you should verify before enabling: 1) Confirm how x402 payments are handled by your agent platform — do you need to provide a wallet or private key? Never paste private keys into a skill. 2) Confirm you accept the real monetary charge (0.01 USDC per call) and that the recipient wallet (0x1a92...) is legitimate. 3) Ask the author/maintainer to clarify the endpoint path (SKILL.md uses /n but api.py exposes /n-pattern and /signals) and whether the bundled api.py is a stub. 4) Prefer testing with a single call or a sandbox payment flow first. If the platform does not natively handle x402, do not provide wallet credentials and do not authorize payments to this external wallet.

Like a lobster shell, security has layers — review code before you run it.

latestvk975h50ggemdvepptqcmxvycnn82wqqs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments