Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AUSUB
v1.0.3基于Tushare黄金ETF日线行情和规则,动态生成带风险提示的黄金定投建议及投入金额参考。
⭐ 0· 87·0 current·0 all-time
by@juryory
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (gold ETF dynamic DCA recommendations) aligns with the code and SKILL.md: it uses Tushare to fetch ETF and SGE data and computes indicators. However, the registry metadata claims no required env vars while both SKILL.md and all scripts require a TUSHARE_TOKEN; this mismatch is an incoherence between declared requirements and actual capabilities.
Instruction Scope
Runtime instructions and included Python scripts stay within the stated purpose: they call the tushare API, compute indicators, produce recommendations, and optionally read local user memory (memory/users/*.json) and write history CSV under references/history/. No hidden network endpoints or broad system data collection are present in the SKILL.md or scripts.
Install Mechanism
There is no install spec; the package is instruction-and-script-only. requirements.txt lists only 'tushare' which is appropriate for the stated purpose. No remote download URLs or archive extraction are used.
Credentials
The code requires the TUSHARE_TOKEN environment variable to access Tushare (appropriate for the purpose) but the skill metadata did not declare this requirement. The scripts also honor optional env vars (OPENCLAW_CONFIG, OPENCLAW_USER_ID, OPENCLAW_HISTORY_PATH, OPENCLAW_SYMBOL) which allow reading local project files (memory/users/<id>.json and references/history/*.csv). Those local reads/writes are reasonable for this skill but should be documented in registry metadata so users know what to provide and what files may be accessed.
Persistence & Privilege
The skill does not request always:true or system-wide privileges. It reads/writes only project-local files (references/history and memory/users) and does not modify other skills or global agent settings. Path-escape protections are present to restrict file access to the project directory.
What to consider before installing
Before installing: (1) expect to provide a TUSHARE_TOKEN — the skill will fail without it; the registry incorrectly lists no required env vars, so update your expectations accordingly. (2) The skill may read a user memory file memory/users/<OPENCLAW_USER_ID>.json and will write/read CSVs under references/history/ — ensure those files are stored only in a trusted project directory. (3) The code only contacts Tushare via the tushare library (no hidden endpoints), but review any token you provide and avoid reusing high-privilege credentials. (4) If you need to verify safety, inspect the included scripts (openclaw.py, fetch_history.py, backtest.py) yourself or run them in a sandboxed environment with a limited-scope Tushare token. (5) The metadata mismatch (missing TUSHARE_TOKEN declaration) is likely sloppy packaging rather than malicious, but treat it as a red flag and prefer to review code before granting environment variables.Like a lobster shell, security has layers — review code before you run it.
latestvk9742hvzypxasdkjap8f5849q183bbtx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.