ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

A股交易助手 stock bitsoul

v1.0.0

计算股票或组合的年化收益率,支持按股票代码+日期范围自动拉取K线计算,也支持直接输入初始/最终资金计算,输出年化收益率、总收益率、最大回撤、夏普比率等完整绩效报告

0· 68·0 current·0 all-time
by@kangqirun
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, required binary (python3), and BITSOUL_TOKEN align with a skill that fetches stock data from a service. However, the SKILL.md imports a local module (scripts/stock_api) and calls many api.* helpers (get_daily_kline, get_annualized_return, etc.) while this package contains no code files — that mismatch suggests missing implementation or an implicit external dependency.
!
Instruction Scope
Instructions explicitly modify sys.path to load scripts from a local 'scripts' folder and then call many api methods; since no scripts are present, runtime behavior is undefined. The skill also mandates calling api.get_annualized_return() instead of computing the formula locally and requires strict output formatting. The instructions do not attempt to read unrelated system files, but they assume availability of a local code module or an external fetch mechanism that is not documented.
Install Mechanism
This is an instruction-only skill with no install spec and no code written to disk by the skill itself, which is the lowest-risk install pattern. There is no download/install step declared.
Credentials
Only one required secret (BITSOUL_TOKEN) is declared as the primary credential, which is proportional for a service that pulls stock data. The metadata also lists an allowed network host (info.aicodingyard.com) that matches the skill homepage. No unrelated credentials or broad system paths are requested.
Persistence & Privilege
The skill does not request always-on presence and uses normal model invocation. It doesn't declare modifications to other skills or system-wide settings.
What to consider before installing
Before installing, verify the following: (1) Where does the stock_api implementation come from? The SKILL.md expects a local scripts/stock_api module but the skill bundle has no code — ask the author to provide the module or explain how the agent will obtain it. (2) Confirm BITSOUL_TOKEN scope and trustworthiness of https://www.aicodingyard.com / info.aicodingyard.com — only provide a token with minimal, read-only permissions and avoid reusing sensitive credentials. (3) Expect runtime failures or unexpected network fetches if the missing code is pulled dynamically; request a clear install or source URL for any required client libraries. (4) Note small issues that may break execution (e.g., a possible typo get_symbol_basic_infomation). If the author provides the missing code or documents how stock_api is supplied (and the token only grants read access), the skill is coherent; otherwise treat it as untrusted and do not provide production credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk974ax2n5dyrgnbm5he7h6g79h83gs4v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
Binspython3
EnvBITSOUL_TOKEN
Primary envBITSOUL_TOKEN

Comments