Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
个股分析大师:面向A股支持单股深度分析与多股对比(综合/技术面/财报/价值面)。触发词:个股分析、个股对比、财报对比、价值分析、技术分析、买卖点、基本面、选时、ST分析。适用场景:用户需要对一个或多个明确股票标的做结构化分析与对比。
v1.0.0个股分析大师:面向A股支持单股深度分析与多股对比(综合/技术面/财报/价值面)。触发词:个股分析、个股对比、财报对比、价值分析、技术分析、买卖点、基本面、选时、ST分析。适用场景:用户需要对一个或多个明确股票标的做结构化分析与对比。不适用场景:未提供股票标的、仅做盘口超短交易指令、非A股标的。
⭐ 0· 51·0 current·0 all-time
by三水清@ksky521
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to perform structured A‑share stock analysis and its runtime instructions call the daxiapi-cli and other xiapi skills — that aligns with the stated purpose. However, the skill expects a DAXIAPI token (it shows commands to check/set DAXIAPI_TOKEN) yet the registry metadata lists no required environment variables or primary credential. The skill also references other xiapi skills (e.g., xiapi-financial-roe-analysis) but does not declare those dependencies or their auth needs. Missing these declarations is an incoherence between claimed purpose and declared requirements.
Instruction Scope
SKILL.md gives detailed, narrowly scoped runtime steps (search, stock info, kline, report finance, patterns, etc.) and stays within stock-analysis tasks. It does not instruct reading arbitrary system files or unrelated credentials. However, it explicitly instructs running npx daxiapi-cli@latest (which will fetch and execute remote code) and to configure a token via CLI or environment variable — the agent/user will be asked to provide a secret token. The instructions are otherwise precise and don't request extra unrelated data.
Install Mechanism
There is no install spec in the registry (instruction-only), but the runtime commands rely on npx to fetch daxiapi-cli@latest from npm at runtime. Using npx implies executing remote code on-demand; this is expected for a CLI-driven integration but raises supply-chain provenance concerns because the skill metadata lacks a homepage/source and does not pin a specific package version or known release host.
Credentials
The skill's documented workflow requires a DAXIAPI token (DAXIAPI_TOKEN or via npx config set), yet the registry metadata does not declare any required environment variables/credentials. That omission prevents automated platforms from warning users about secrets being needed. The skill also references other xiapi skills whose credential needs are not declared. Asking the user to set a token is proportionate to the skill purpose, but the lack of explicit declaration is a red flag.
Persistence & Privilege
The skill does not request permanent 'always' inclusion and does not claim to modify other skills or system-wide settings. It suggests using CLI config commands (npx daxiapi-cli config set token) which will store a token in the CLI's config or via an environment variable — this is normal for CLI-based integrations and is within expected privilege for a data‑fetching skill.
What to consider before installing
This skill appears to be coherent with an A‑share analysis tool but has two practical concerns you should address before trusting it: (1) provenance — the SKILL instructs running 'npx daxiapi-cli@latest' but the registry entry has no homepage/source or pinned package; inspect the daxiapi-cli npm package (author, source repo, recent releases, and code) before executing it. (2) secrets handling — the skill requires a DAXIAPI token but the metadata does not declare this credential; verify what scope the token needs, whether it can be limited, and avoid pasting high‑privilege keys where possible. Recommended steps: review the daxiapi-cli package source on GitHub/NPM, prefer a pinned package version, run the CLI in a sandbox or throwaway environment first, confirm the token's minimal required scopes, and ask the skill author/owner to add explicit required-env metadata and a homepage/source URL. If you cannot verify the CLI provenance, do not install or run the npx commands with your production credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97cjfcpg86a22efbhemxyyg2984e1mj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.