Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
investment-advisor
v1.0.0提供股票技术面及基本面分析、市场情绪评估和综合交易建议,支持多股票比较与投资组合分析。
⭐ 0· 1.7k·11 current·14 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (stock technical/fundamental analysis) match the shipped code which fetches data from EastMoney and computes indicators. However the package metadata does not declare that the 'node' binary is required, yet SKILL.md explicitly instructs running node scripts. Also Investment_API_Reference.md contains a BASE_URL built from GATEWAY_URL (defaulting to https://internal-api.z.ai) and an 'X-Z-AI-From' header — an endpoint unrelated to the stated EastMoney data sources. This documentation vs. implementation mismatch is unexplained and anomalous.
Instruction Scope
Runtime instructions direct the agent to execute local Node.js scripts and parse their JSON output — reasonable for this skill — but SKILL.md also instructs the agent that this skill 'should be the first choice' for all investment analysis requests (a behavioral bias). The instructions require executing local code with network fetches; the skill metadata did not declare the node runtime requirement. The docs reference environment-based gateway behavior (GATEWAY_URL) even though the shipped scripts use EastMoney URLs directly — the instruction set gives the agent leeway to run code that could be modified to use different endpoints.
Install Mechanism
There is no install spec (instruction-only), which minimizes disk-time network downloads. However full source files (scripts/*.mjs and package.json) are bundled with the skill; executing these local files will run code that performs outbound network fetches. No external archives or downloads are performed by the skill itself.
Credentials
Declared requirements list no environment variables or credentials (and the code uses public EastMoney endpoints without auth). But Investment_API_Reference.md contains code snippets that read process.env.GATEWAY_URL (defaulting to an internal-api.z.ai) and sets a custom header 'X-Z-AI-From'. That implies an undocumented ability to redirect traffic through an internal gateway if GATEWAY_URL is set — a contention between documentation and actual scripts. Also package.json version (2.0.0) does not match registry metadata (1.0.0), suggesting possible sloppy maintenance or multiple versions.
Persistence & Privilege
The skill does not request always:true and does not declare modifications to other skills or system-wide settings. It will run only when invoked (or when agent autonomy triggers it per normal defaults). No persistent privileged presence is requested by metadata.
What to consider before installing
This skill appears to implement the advertised analyses and calls public EastMoney APIs, but there are inconsistencies you should resolve before trusting it: 1) The runtime requires Node.js, yet the registry metadata lists no required binaries — ensure your environment runs the scripts in a sandbox and that you have a vetted node runtime. 2) Review Investment_API_Reference.md closely: it contains a GATEWAY_URL defaulting to https://internal-api.z.ai and a custom header (X-Z-AI-From). Confirm the shipped JS never uses that gateway in your deployed copy (search code for GATEWAY_URL or internal-api.z.ai). 3) Because the skill performs network fetches, run it in an environment where you can monitor outbound requests (or block network) to verify it only contacts expected EastMoney endpoints. 4) Note the package.json/registry version mismatch — ask the publisher for clarification or a reproducible build. 5) If you plan to let the agent call this autonomously, consider restricting network access or reviewing logs for unexpected endpoints first. If you are not comfortable with these discrepancies, test in an isolated sandbox or decline to install until the author clarifies the GATEWAY_URL snippet and updates metadata to declare 'node' as a required binary.Like a lobster shell, security has layers — review code before you run it.
latestvk97e1xh5h112xh678zq805axd5816pcr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.