ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

A股市场分析报告/china A stocks daily review

v1.0.2

A股市场行情分析 Skill,支持生成三类报告:盘前市场综述、盘中市场简评、盘后复盘报告。 China A-Share Market Daily Review Skill — generates 3 report types: Pre-Market Briefing, Intraday Snapshot, Pos...

1· 65·0 current·0 all-time
by@kooui
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (generating pre-market/intraday/post-market A‑share reports) aligns with the tools it documents (Tushare, AKShare, search engine fallback). Requesting a local Tushare token (~/.tushare_token) is appropriate for the primary data source. However, README/SKILL.md assert features (automatic daily push to messaging channels) that would require additional credentials/integration and a scheduling mechanism which the registry metadata does not declare — this is a mismatch between claimed capabilities and the package footprint.
!
Instruction Scope
SKILL.md includes runnable Python snippets that read/write ~/.tushare_token, perform network checks against api.tushare.pro, call akshare, save reports to local files, and fall back to web scraping. Those actions are within scope for a data-reporting skill, but the docs also describe automatic scheduling and pushing to external messaging endpoints (WeChat/WhatsApp) without any instructions on how credentials are provided or how the push is implemented. The instructions therefore grant broad discretion (scheduling/pushing) that's not supported by declared requirements.
!
Install Mechanism
The skill is instruction-only with no install spec (lowest technical risk). Yet the README states 'Auto Push: Active After Installation' and enumerates scheduled RRULEs. There is no install script, no scheduler hookup, and no declared integration with messaging providers. That discrepancy suggests the documentation overclaims behavior that cannot be realized from the provided artifacts alone.
Credentials
The only credential material described is a user-provided Tushare token stored locally (~/.tushare_token). No other environment variables or unrelated secrets are requested. Using a Tushare token is proportional to the stated data-fetching purpose. The skill's fallback to web scraping may cause additional outbound requests but does not request unrelated credentials.
!
Persistence & Privilege
Registry flags show no forced persistence (always: false) and no required env/config paths. Nevertheless, the documentation asserts that daily automated pushes are enabled by default and that reports will be saved and pushed to linked messaging channels. Without an installer, scheduler, or explicit auth for messaging endpoints, this is an unsupported claim and could mislead users about the skill gaining persistent/background capabilities.
Scan Findings in Context
[none_detected] expected: The static scanner found no regex matches (the package is instruction-only). Absence of findings is not evidence of safety; the textual instructions themselves are the primary surface to review.
What to consider before installing
This skill largely looks like a legitimate report generator: it expects you to optionally provide a Tushare token saved to ~/.tushare_token, and it will use AKShare or web scraping as fallbacks. However, the README/SKILL.md claim automatic daily scheduling and pushing to message channels (WeChat/WhatsApp) even though there is no installer, no declared messaging credentials, and no mechanism in the provided files to enable those behaviors. Before installing or enabling this skill: - Ask the author how 'auto-push' is implemented and where messaging credentials would be stored; do not assume the skill will gain background scheduling without your explicit setup. - Never paste secret tokens into chat; save the Tushare token only to your own home directory as documented if you accept that risk. - If you want scheduled pushes, require explicit steps and check what agent/service will hold your messaging credentials. - If uncertain, run the skill in a restricted environment (isolated account or container) and verify what network endpoints are contacted and what files are created (e.g., ~/.tushare_token, report_YYYYMMDD_*.md). I rated this 'suspicious' (medium confidence) because the main red flags are doc/behavior mismatches (claimed auto-push/persistence without an install path or requested messaging credentials). If the author can show the actual integration code or an install spec that explains scheduling and credential handling, the concern would be resolved.

Like a lobster shell, security has layers — review code before you run it.

a-sharesvk97ak02gd5prxdmr0rk4agfe7s83pz6vchina-stocksvk97ak02gd5prxdmr0rk4agfe7s83pz6vfinancial-marketsvk97ak02gd5prxdmr0rk4agfe7s83pz6vfundamental-analysisvk97ak02gd5prxdmr0rk4agfe7s83pz6vintradayvk97ak02gd5prxdmr0rk4agfe7s83pz6vinvestment-researchvk97ak02gd5prxdmr0rk4agfe7s83pz6vinvestment-toolsvk97ak02gd5prxdmr0rk4agfe7s83pz6vlatestvk97ak02gd5prxdmr0rk4agfe7s83pz6vlive-marketvk97ak02gd5prxdmr0rk4agfe7s83pz6vmarket-alertsvk97ak02gd5prxdmr0rk4agfe7s83pz6vmarket-datavk97ak02gd5prxdmr0rk4agfe7s83pz6vmarket-monitorvk97ak02gd5prxdmr0rk4agfe7s83pz6vpost-marketvk97ak02gd5prxdmr0rk4agfe7s83pz6vpre-marketvk97ak02gd5prxdmr0rk4agfe7s83pz6vquantitative-analysisvk97ak02gd5prxdmr0rk4agfe7s83pz6vreal-time-analysisvk97ak02gd5prxdmr0rk4agfe7s83pz6vstock-analysisvk97ak02gd5prxdmr0rk4agfe7s83pz6vtechnical-analysisvk97ak02gd5prxdmr0rk4agfe7s83pz6vtrading-sessionvk97ak02gd5prxdmr0rk4agfe7s83pz6vtrading-signalsvk97ak02gd5prxdmr0rk4agfe7s83pz6v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments