ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Company Onepager

v7.1.0

生成上市公司"一页纸"调研简报,整合基本信息、市场数据、近10年财务数据表格、近10年月K线图、股东结构、近期新闻。数据优先级:iFinD → Tushare → AkShare + Web Search。每个章节标注数据来源。使用场景:(1) 调研股票/公司信息 (2) 生成股票分析报告 (3) 整合多维数据形...

2· 38·0 current·0 all-time
by@laigen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description align with included code (fetching iFinD/Tushare/AkShare data, building charts and PDFs). However there are metadata mismatches: the registry metadata lists only TUSHARE_TOKEN as a required credential, while SKILL.md and the code also require an iFinD auth_token stored in a config file path (~/.openclaw/workspace/skills/ifind-finance-data/mcp_config.json). The code enforces presence of TUSHARE_TOKEN even if the user intends to fall back to AkShare (odd design choice). These inconsistencies are likely engineering gaps but are relevant to trust.
!
Instruction Scope
Runtime instructions and code read an iFinD config file under ~/.openclaw/workspace/skills/ifind-finance-data and attempt to import/use other skill code (brave-search) if present — this cross-skill file access increases the attack surface. The iFinD fetch uses requests with verify=False (disables SSL verification). The code also calls web_search/brave_search and may send data to external network endpoints (iFinD API, Google Fonts, web search). The scripts will exit if TUSHARE_TOKEN is not set, even when only AkShare is intended. These behaviors go beyond a simple 'call Tushare' flow and merit review.
Install Mechanism
There is no formal install spec (instruction-only), which minimizes invisible installation steps. SKILL.md lists pip dependencies (tushare, akshare, matplotlib, weasyprint, etc.) — installing these is expected for the functionality but weasyprint can require extra system libraries and pip installs will pull network packages. No arbitrary binary downloads or obscure URLs were found in the manifest.
!
Credentials
The declared primaryEnv is TUSHARE_TOKEN (reasonable), but the code also requires an iFinD auth_token stored in a specific config file (not declared as a required env var in the registry). The skill forces presence/validation of TUSHARE_TOKEN even for AkShare fallback. It also attempts to read other skills' directories (ifind-finance-data, brave-search). Requiring and reading tokens/configs from the user's workspace and other skill directories is disproportionate if the user only expects a local data‑puller; ensure you are comfortable storing tokens in the specified files/locations.
Persistence & Privilege
The skill does not request 'always: true' and does not appear to modify other skills or global agent settings. It writes output (data.json, chart, markdown, html, pdf) under ~/.openclaw/workspace/temp which is expected. The notable point is that it reads config files in another skill's workspace rather than only its own files — this is not privilege escalation by itself but increases the blast radius if a token is present there.
What to consider before installing
Before installing: - Expect to provide your TUSHARE_TOKEN environment variable; the tool will exit if TUSHARE_TOKEN is not set even if you only want to use AkShare. Verify you are willing to set this. - The skill will also try to read an iFinD auth_token from ~/.openclaw/workspace/skills/ifind-finance-data/mcp_config.json; if you don't have iFinD credentials this is optional but the code references that path. Review that file location and avoid placing sensitive tokens in shared/other-skill folders. - The fetch implementation calls an iFinD API endpoint and sets requests.verify=False (disables TLS verification). That weakens transport security; consider editing the code to enable certificate verification (verify=True) before use. - The skill imports/uses other skill code (brave-search) if present and performs web searches and external network calls (iFinD, Google Fonts, possible web search APIs). If you need to protect data or limit outbound network access, run this in an isolated environment or container. - Dependencies include WeasyPrint and other Python packages that may require system libraries; review and install dependencies in a controlled environment. - If you plan to use it, audit the included scripts (fetch_company_data.py, generate_markdown_v6.py) yourself for any additional endpoints or logging of tokens, and consider removing/adjusting any verify=False lines and hard exit behavior for missing tokens. If you want, I can highlight the exact lines in the code that read external tokens, disable SSL verification, and import other skills for you to inspect further.

Like a lobster shell, security has layers — review code before you run it.

china-marketvk972y3xwkjejwq9v3w7my0axwn84rfb1company-researchvk972y3xwkjejwq9v3w7my0axwn84rfb1data-integrationvk972y3xwkjejwq9v3w7my0axwn84rfb1financial-datavk972y3xwkjejwq9v3w7my0axwn84rfb1financial-reportvk972y3xwkjejwq9v3w7my0axwn84rfb1latestvk972y3xwkjejwq9v3w7my0axwn84rfb1markdownvk972y3xwkjejwq9v3w7my0axwn84rfb1onepagervk972y3xwkjejwq9v3w7my0axwn84rfb1pdfvk972y3xwkjejwq9v3w7my0axwn84rfb1report-generationvk972y3xwkjejwq9v3w7my0axwn84rfb1stock-analysisvk972y3xwkjejwq9v3w7my0axwn84rfb1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3
EnvTUSHARE_TOKEN
Primary envTUSHARE_TOKEN

Comments