Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Hk Ipo Research Assistant
v0.1.1港股 IPO 打新研究助手。抓取实时数据(孖展、基石、评级、暗盘、A+H折价、中签率),供 AI 分析判断。 触发词:港股打新、新股分析、IPO、孖展、保荐人、暗盘、中签率、基石投资者。 不适用:A 股打新、美股 IPO、基金申购。
⭐ 1· 616·7 current·7 all-time
bym3@marvae
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the implementation: the package contains adapters and CLI commands for fetching IPO-related data (AiPO, AAStocks, HKEX, Futu, TradeSmart, Jisilu), analytics (allotment prediction, A+H comparison), and helper references. The requested actions (pip install, run python scripts/hkipo.py) are proportionate to the stated purpose.
Instruction Scope
SKILL.md directs installing Python deps and running the bundled CLI. Runtime behavior (HTTP requests to third‑party public data sites, parsing HTML/JSON, generating predictions, reading/writing scripts/config/user-profile.yaml, caching) is within scope. The skill reads/writes only files inside its directory (scripts/config/, cache files) and does not instruct reading arbitrary system files or environment variables. It does request the user to enter a user profile (capital, risk, margin, broker) which is saved locally.
Install Mechanism
No platform package manager install spec; SKILL.md requires 'pip install -r scripts/requirements.txt'. Installing Python dependencies is expected for a Python CLI but introduces normal supply-chain risk (pip packages). The requirements.txt file is included in the bundle; users should inspect it before pip install or use an isolated virtualenv. No direct downloads from untrusted URLs were seen in the skill files themselves.
Credentials
The skill declares no required environment variables, no credentials, and no external config paths. All network calls target public data providers needed for market data (see note). It does not request AWS/GitHub/other unrelated keys.
Persistence & Privilege
always:false and default invocation behavior. The skill persists local caches and a user profile under scripts/, which is reasonable for this tool. It does not modify other skills or system-wide agent settings.
Scan Findings in Context
[http_client_usage] expected: The code uses httpx and WebSocket/HTTP connections to fetch data from aipo.myiqdii.com, aastocks.com, hkex (disclosure site), sinajs/qt.gtimg (Tencent/Sina), futu/tradesmart endpoints — all consistent with collecting market/IPO data.
[writes_user_config] expected: The SKILL.md and code write/read scripts/config/user-profile.yaml to store user risk/capital settings; this is expected for personalization.
[pip_install_requirements] expected: SKILL.md instructs installing requirements via pip (scripts/requirements.txt). This is normal, but pip install carries standard dependency risk—inspect the requirements list before installing.
Assessment
This skill appears coherent and implements what it claims: it scrapes public IPO data sources and provides CLI analysis. Before installing, take these precautions: (1) inspect scripts/requirements.txt and run pip inside an isolated virtualenv or container; (2) review the network endpoints the tool will call (aipo.myiqdii.com, aastocks.com, hkex, sinajs/qt.gtimg, futu, tradesmart, etc.) to ensure you are comfortable with outbound connections; (3) be aware the tool will write local cache and a user profile under scripts/ (scripts/config/user-profile.yaml); (4) if you use private credentials for any broker APIs later, check whether the code ever adds new environment variable requirements — currently none are requested. If you want extra assurance, run the CLI in a read-only or sandboxed environment and audit scripts/cache.py and scripts/requirements.txt before use.Like a lobster shell, security has layers — review code before you run it.
latestvk97e9wvfpcs9tad27zcvjwd4md820x5p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.