ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alpha Pulse 1.0.0

v1.0.0

Generates top 30 high-potential A-share stocks for next-day short-term trading using multi-factor signals and automatic daily market scanning.

0· 64·0 current·0 all-time
by@kernelh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description claim a complete T+1 signal engine that produces Top‑30 predictions, reports and notifications. The repository only provides a scanner skeleton (lib/scanner.py) and config.yaml; SKILL.md refers to factors.py, predictor.py, filter.py, examples/run_tomorrow.py and CLI commands (alpha-pulse predict/report/notify) that are not present. This is an important mismatch between claimed capability and actual included artifacts.
!
Instruction Scope
SKILL.md instructs users to run commands (alpha-pulse predict, alpha-pulse scan, python examples/run_tomorrow.py) and to install model packages (xgboost) and optionally configure a tushare token. The code only implements market list and daily-kline retrieval via akshare. The instructions therefore overreach the actual code and could mislead a user or an agent into invoking non-existent CLI entrypoints or assuming model/reporting behavior that isn't delivered.
Install Mechanism
There is no install spec (instruction-only skill). The README suggests installing common Python packages via pip (akshare, pandas, numpy, xgboost). That is proportionate and expected for the stated domain; no downloads from untrusted URLs or archive extraction are present.
Credentials
The skill declares no required environment variables or secrets. SKILL.md mentions an optional tushare token to 'improve' certain data, but config.yaml does not include a token field. No credentials are requested, which is proportionate; be aware that optional tokens (tushare) are mentioned but not integrated in the included code.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistence. It does not modify other skills or system configuration in the provided files.
What to consider before installing
This package appears to be a scaffold rather than a complete feature: SKILL.md promises predictor, reporting and notification components that are not included. Before installing or running: (1) treat it as incomplete — expect to need additional code or scripts; (2) inspect any additional files the author supplies (predictor, factors, CLI wrappers) before running them; (3) run in an isolated environment if you must execute it (virtualenv/container); (4) do not provide credentials/tokens unless you confirm how they are used; and (5) ask the publisher for the missing modules or a clear README showing how the full pipeline is implemented.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bfdmsjxzmm5k3beh862me7183v975

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments