Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Eastmoney Stock.Bak
v1.0.0查询东方财富股票数据,包括个股行情、涨跌幅、成交量等。用于回答股票相关问题。
⭐ 0· 82·0 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description say this uses 東方財富 (Eastmoney) APIs, and some scripts (sector_rank.py, sector_rank, etc.) call Eastmoney endpoints, but multiple key scripts (scripts/stock.py, analyze_603588.py, test_600323.py, hot_sectors.py) actually call Sina's hq.sinajs.cn endpoints. Functionality (fetching stock quotes, sector ranks, simple analysis) is consistent with the description, but the mixed/unnamed data sources and small metadata mismatch (registry ownerId vs _meta.json ownerId) are unexpected and reduce transparency.
Instruction Scope
SKILL.md instructions are limited to querying stock info and are scoped appropriately. However, several code files have side effects: many modules call their main functions at module load (e.g., analyze_603588.py, hot_sectors.py, hot_sectors_today.py, sector_rank.py, test_600323.py). That means importing or executing the package may immediately perform outbound HTTP requests and print data. There are no instructions to read local files or access environment variables, and the code does not exfiltrate data to unexpected endpoints — only to public finance APIs (sina/eastmoney). Still, auto-running network calls on import is surprising and can be a risk in some integration contexts.
Install Mechanism
No installer is provided (instruction-only / code files only). No downloads from arbitrary URLs, no package installs declared. package.json lists no dependencies. This is low install risk.
Credentials
The skill requests no environment variables, no credentials, and no config paths. The external network calls are to public finance APIs (hq.sinajs.cn and push2.eastmoney.com) which fit the stated purpose. There are no hidden API keys or secret requirements.
Persistence & Privilege
Flags are normal: always:false and user-invocable:true. The skill does not request persistent system privileges or modify other skills' configs. Autonomous invocation is permitted by default but not combined with other high-risk items here.
What to consider before installing
This skill appears to implement stock and sector queries and uses public Sina / Eastmoney endpoints, but exercise caution: (1) The codebase mixes data sources (Sina and Eastmoney) which is not documented in SKILL.md — confirm which API you prefer. (2) Several Python files perform network requests when the module is loaded (they call their main functions at the bottom). If the platform imports these files, they may make outbound HTTP calls immediately; prefer a skill that exposes explicit entry points without side-effectful top-level code. (3) There is a mismatch in owner metadata between registry info and _meta.json — that could be innocent (copy/paste) but reduces provenance. Recommended actions before installing: review the code yourself or run it in a sandboxed environment, remove or refactor top-level execution if you plan to import the package, and confirm the author/source. If you need stronger guarantees, ask the publisher for a clear source repository and a versioned release signed/hosted on a trusted site.Like a lobster shell, security has layers — review code before you run it.
latestvk970be26qp9752r6nsq1arybkn83bfn0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.