ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Financial Risk Scanner for Listed Companies

v1.0.4

Analyze listed company financials to detect 21 fraud risk indicators with severity ratings and cross-validation for accounting anomalies and governance issues.

1· 41·0 current·0 all-time
by@laigen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (financial fraud/risk scanning) align with the included Python scripts and use of Tushare + pandas. The code implements fetching balancesheets, income, cashflow, indicators, computing 21 risk metrics, and generating Markdown reports — all consistent with the stated purpose. Minor inconsistency: the registry metadata provided to you lists no required environment variables, but the SKILL.md and code clearly require a TUSHARE_TOKEN; that mismatch is unexplained and notable.
Instruction Scope
SKILL.md and the scripts confine runtime actions to: calling the Tushare API, computing indicators, cross-validating with announcements/news via Tushare, and writing Markdown reports to ~/.openclaw/workspace/memory/financial-risk/. There are no instructions to read unrelated local files, access other credentials, or contact arbitrary external endpoints beyond Tushare. The skill supports batch analysis, which can cause high-volume API usage but is consistent with its analysis purpose.
Install Mechanism
No install spec is present (instruction-only from platform perspective), and included code is plain Python using standard public packages (tushare, pandas). There are no downloads from unknown URLs, no extract/install steps, and no packaging that would place binaries in unusual locations. The lack of an install script means a user must install Python deps manually before running the scripts.
!
Credentials
The code and SKILL.md require a single sensitive credential: TUSHARE_TOKEN (Tushare Pro API token) which is appropriate and necessary for fetching Chinese A-share financial data. However, the registry metadata (presented in the evaluation header) stated 'Required env vars: none' — this discrepancy is problematic because a user could install/enable the skill without realizing it will request and transmit a paid/privileged API token. No other unrelated secrets (AWS, GitHub, etc.) are requested.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and does not require elevated system privileges. It writes reports to a subdirectory under the user's home (~/.openclaw/workspace/memory/financial-risk), which is within expected behavior for a reporting tool. Autonomous invocation (model-invocation enabled) is the platform default and is not by itself a new risk here.
What to consider before installing
What to check before installing or running this skill: - Metadata mismatch: the registry metadata claims no required env vars but SKILL.md and the code require a TUSHARE_TOKEN. Do not assume the skill needs no credentials — it does. Ask the publisher to correct the registry metadata. - TUSHARE_TOKEN is sensitive: it grants access to a paid data API tied to your account. Use a dedicated/limited API token (or trial account) rather than your primary account token. Monitor API usage/quota to avoid unexpected charges. - Inspect the repo yourself (you have the Python files). The code is readable and the network calls are to tushare.pro via the tushare client; there are no obvious obfuscated endpoints. If you are not comfortable reading code, run it in an isolated environment (VM or container) and with a test token first. - Files written to disk: reports are saved under ~/.openclaw/workspace/memory/financial-risk/. If you are concerned about data persistence or leakage, change the output path or run in a disposable environment. - API quota and batch mode: example scripts include batch analysis and loops over peer lists — these can consume large numbers of API calls. If you run batch analyses, throttle requests and watch your Tushare rate limits/quotas to avoid denial-of-service or unexpected billable usage. - Trust and provenance: the skill source and homepage shown in the registry are minimal/unknown. Prefer skills with a verifiable homepage, published repository, or known author. Ask the owner for source repository link or sign-off. If the owner provides corrected registry metadata (listing TUSHARE_TOKEN) and a verifiable homepage or repository, the inconsistencies would be resolved and confidence in the package would increase. If you can't validate the publisher, run the code only in a sandbox and use a token with limited access.

Like a lobster shell, security has layers — review code before you run it.

financial-riskvk97ft6eqw401td6xrfgp9w23ws83z538fraud-detectionvk97ft6eqw401td6xrfgp9w23ws83z538fundamental-analysisvk97ft6eqw401td6xrfgp9w23ws83z538investmentvk97ft6eqw401td6xrfgp9w23ws83z538latestvk97ft6eqw401td6xrfgp9w23ws83z538stock-analysisvk97ft6eqw401td6xrfgp9w23ws83z538

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments