ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

全方位智能股票分析v4

v4.0.0

A股/港股/美股/ETF 全方位智能分析助手 v4.0。 核心特点:①结论先行②信号明确果断③盘中实时扫描④自动读取 ~/Desktop/股票知识库/。 数据来源:tushare realtime_quote(实时五档盘口)、akshare(资金流向/龙虎榜/研报)、yfinance(美股/港股)、Web搜索(消...

0· 42·0 current·0 all-time
by@lin838465-ux
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's functionality (historical prices, realtime quote, fund flows, research reports, web search) is coherent with a stock-analysis assistant and uses yfinance/akshare/tushare as expected. However, the top-level description claims '自动读取 ~/Desktop/股票知识库/' (automatically read ~/Desktop/stock-knowledgebase) but no config paths or permissions are declared in metadata. Also _meta.json/plugin.json list version 1.0.0 while registry shows 4.0.0 — minor mismatch. Automatic reading of a Desktop folder is a potentially intrusive capability that should be explicitly declared.
!
Instruction Scope
The SKILL.md contains concrete runtime instructions to call yfinance, akshare, and tushare and to perform web searches. It explicitly reads os.environ['TUSHARE_TOKEN'] in examples and requires pulling many data sources. The doc also states it will '自动读取 ~/Desktop/股票知识库/' and mandates web searches; these actions mean the agent will access local files and external networks. There are no explicit instructions to exfiltrate data, but the scope includes reading a user Desktop path and using networked APIs without clarifying what local data is required or how it's used.
Install Mechanism
This is instruction-only (no install spec, no code files to execute). That is low-risk from an installation perspective; however, it implicitly depends on Python packages (yfinance, akshare, tushare, pandas) being present. No downloads or archive extractions are specified.
!
Credentials
SKILL.md uses TUSHARE_TOKEN via os.environ.get('TUSHARE_TOKEN'), but the skill metadata lists no required environment variables or primary credential. Requesting an API token for tushare is reasonable for realtime data, but failing to declare it is a misalignment. The skill also claims to read ~/Desktop/股票知识库/ (local files) but metadata declares no config paths. Missing declarations reduce transparency and increase risk of accidental exposure of local files or secrets.
Persistence & Privilege
The skill does not request 'always: true' and uses normal autonomous invocation defaults. There is no install-time persistence or cross-skill configuration changes in the provided files. No elevated platform privileges are requested.
What to consider before installing
Before installing or running this skill, consider the following: - The skill expects to use tushare (it reads TUSHARE_TOKEN) but the token is not declared in the metadata; do not paste your TUSHARE_TOKEN into an untrusted skill without confirmation. Ask the author to explicitly declare required env vars and justify them. - The description says it will automatically read ~/Desktop/股票知识库/. Confirm whether the skill will actually access that path and what it will read/send. If you keep private files there, don't allow automatic reading. - The skill will perform network requests (yfinance/akshare/tushare/Web search). Run it in a sandboxed environment if you are concerned about data exfiltration, and avoid supplying unrelated credentials. - Request that the maintainer: (1) list required environment variables (e.g., TUSHARE_TOKEN), (2) list any local paths the skill will read, and (3) provide a minimal install/run checklist. If you cannot get these clarifications, treat the skill as untrusted and avoid providing secrets or placing sensitive files in the referenced Desktop folder. - If you need to use it, consider creating a limited-purpose tushare token or running the analysis on a machine/user account that has no sensitive files on ~/Desktop.

Like a lobster shell, security has layers — review code before you run it.

ETFvk97d5tya1n19dy0qkk6j0hpqwd84v29gchinavk97fpwaj3qe31btqxqv062s5p984temdhongkongvk97a6s522yvt29th3e83baab9n84tdj6investmentvk975809azzs8z9h8jqgjwsmjb984tj0nlatestvk97d5tya1n19dy0qkk6j0hpqwd84v29gorderbookvk97fpwaj3qe31btqxqv062s5p984temdrealtimevk97d5tya1n19dy0qkk6j0hpqwd84v29gstockvk97d5tya1n19dy0qkk6j0hpqwd84v29gstrict-datavk97d5tya1n19dy0qkk6j0hpqwd84v29gtechnical-analysisvk975809azzs8z9h8jqgjwsmjb984tj0ntrading-signalsvk97fpwaj3qe31btqxqv062s5p984temdus-stocksvk97a6s522yvt29th3e83baab9n84tdj6verifiedvk97d5tya1n19dy0qkk6j0hpqwd84v29g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments