ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Trade Analyzer

v1.0.0

交易策略分析专家 - 深度解析交割单和交易复盘数据,提供胜率、盈亏比、策略一致性评估及改进建议。支持 CSV、Excel、文本格式输入,输出专业 Markdown 报告。

1· 164·0 current·0 all-time
by@misso0513
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (trade analysis) match the code and instructions. The skill only needs to read user-provided CSV/text/XLSX data and compute metrics; no unrelated environment variables or binaries are requested.
Instruction Scope
SKILL.md confines runtime behavior to parsing uploaded trade files, computing statistics, and producing a Markdown report. It mentions Excel support via a separate 'document-pro' skill (an external capability the agent may call). The runtime instructions do not direct the agent to read arbitrary system files or to transmit data to unknown endpoints. However, the analyzer.py content in the prompt is truncated, so I could not confirm the remainder of the code does not perform network I/O or other out-of-scope actions.
Install Mechanism
No install spec is declared (instruction-only with included Python source). That minimizes installer risk; nothing is downloaded or executed during install. The README and SKILL.md recommend using openpyxl for Excel, but openpyxl is not declared as installed here.
Credentials
The skill requests no environment variables, credentials, or config paths. That is proportionate to a local data-analysis utility. The SKILL.md does note relying on a 'document-pro' skill for Excel parsing—check that skill separately for any credential/network requirements.
Persistence & Privilege
The skill is not forced-always; it is user-invocable and allows normal autonomous invocation (platform default). It does not request persistent privileges or system-wide config changes in the visible instructions.
What to consider before installing
This package appears coherent for local trade-data analysis: it reads user-uploaded CSV/text/XLSX and produces markdown reports and requests no credentials. Before installing or enabling it: 1) Inspect the full analyzer.py (the prompt included a truncated excerpt) to confirm there are no network calls (requests/urllib/socket subprocesss that could exfiltrate data) or hidden eval/exec usage. 2) Review any referenced skill (document-pro) to see if it sends data to external services. 3) Only upload non-sensitive test data initially and run in a sandbox environment. 4) If you will analyze real trading records, ensure the agent/skill runs locally or in a trusted environment since the reports contain sensitive financial data.

Like a lobster shell, security has layers — review code before you run it.

latestvk9715sp2399d16cpv327by0kyd8377sw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments