Stock Monitor - 股票监控
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a disclosed one-time stock alert checker, but it uses a Jisu API key, external market-data calls, and local config/state files that users should keep private.
Before installing, make sure you are comfortable giving the skill a Jisu API key and storing holdings/cost data in local JSON files. Use a private config/state path, do not commit those files or the API key, and treat the output as informational rather than investment advice.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill uses your Jisu API key to fetch stock data; misuse or exposure of that key could affect your Jisu account quota or billing.
The script sends the configured JISU_API_KEY as an API parameter when calling the Jisu stock services.
q = {"appkey": appkey} ... r = requests.get(f"{base}/{path}", params=q, timeout=15)Use a dedicated Jisu API key if possible, do not commit it to a repository, and keep it in environment variables or another private secret store.
If the state file path is set carelessly, the skill could overwrite a local file that the current user account can write.
The configured state file path can cause the script to create directories and replace the target state file.
if d and not os.path.isdir(d):
os.makedirs(d, exist_ok=True)
...
os.replace(tmp, path)Use a dedicated state file path such as a project-local `jisu-stock-monitor.state.json`, and avoid pointing `state_file` or `JISU_STOCK_MONITOR_STATE` at important system or personal files.
The state file may reveal information about monitored holdings and alert history if stored in a shared or public location.
The skill documents persistent local state for trailing peaks and alert cooldowns across runs.
state_file | string / null | 状态文件路径(跨日止盈峰值、告警冷却)
Keep config and state files out of public repositories, follow the provided `.gitignore` guidance, and store them in a private directory.
Installing unpinned dependencies can produce different package versions over time.
The setup guidance asks users to install the `requests` package without a pinned version.
依赖:`pip install requests`。
Install dependencies from a trusted Python package source, preferably in a virtual environment; pin versions if you need reproducible installations.