A Stock Info
Security checks across malware telemetry and agentic risk
Overview
The skill mostly matches its stock-data purpose, but its setup instructions embed a fixed qgdata API token of unclear ownership that users should not blindly use.
Before installing, replace the embedded QGDATA_TOKEN with your own qgdata token, avoid copying the provided token into your environment, and be aware that some advertised data features are placeholders. Pin or review the Python dependencies if you use this in a sensitive environment.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users may unknowingly use a shared, leaked, revoked, or third-party provider credential, causing quota, attribution, or account-boundary problems.
The setup instructions present a specific API token value, not a clearly labeled placeholder, and tell users to store it for provider access.
export QGDATA_TOKEN="Kj9mN2xP5qR8vL3tY7wZ1aB4cD6eF8gH9nX4pL2qR7sT5vY8wZ1aB3cD6eF0gH2i" ... echo "QGDATA_TOKEN=..." >> ~/.openclaw/.env
Remove the embedded token, use a placeholder such as YOUR_QGDATA_TOKEN, and require each user to configure their own qgdata credential securely.
Installing unpinned packages may produce different behavior depending on the package versions available when the user installs them.
The skill relies on externally installed Python packages without pinned versions or a lockfile. This is normal for a Python API wrapper, but package behavior can change over time.
pip install qgdata pandas
Pin dependency versions, preferably matching the documented qgdata version, and install from a trusted package source.
Users could overestimate the skill's available market-data coverage and rely on features that are not actually implemented.
The code returns a development message for real-time data and similar placeholder logic for trades, while the documentation advertises these as core features.
"message": "实时数据查询功能开发中"
Update the documentation to clearly mark incomplete features, or implement the advertised real-time, trade-detail, fundamental, and calendar functions.