ClawHub

A Stock Data

Security checks across malware telemetry and agentic risk

Overview

The artifacts are consistent with a public A-share stock-data and charting skill, with only expected external data queries, optional Python dependencies, and local chart output to review.

Before installing, note that the skill may query external financial-data providers and may need optional Python packages for technical indicators. If running the chart scripts, check the hardcoded output path and verify market data before making financial decisions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Info
What this means

Using the skill may contact external financial-data services to retrieve public market data.

Why it was flagged

The skill explicitly uses AkShare as an external financial-data provider. This is central to the stated purpose, but users should know stock queries may result in external data-provider calls.

Skill content
- **AkShare**: 免费开源财经数据接口,覆盖 A股、港股、美股、基金、期货、宏观经济
Recommendation

Use it for public market-data questions, avoid adding private information to queries, and verify important financial results from trusted sources.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

If the optional technical-analysis workflow is used, the environment may need extra Python packages installed.

Why it was flagged

The SKILL documents installing an additional Python package while the registry has no install specification. This appears purpose-aligned for technical indicators, but package installation is still a supply-chain step.

Skill content
### 安装依赖
```bash
pip install ta-lib
```
Recommendation

Install optional dependencies only in a trusted or isolated Python environment, and consider pinning versions from known package sources.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

Running the helper script may create or overwrite a chart image at the specified workspace path.

Why it was flagged

The helper script saves a generated chart to a fixed local Windows workspace path. Chart output is purpose-aligned, but the hardcoded path may not match every user's environment.

Skill content
output_file = r'C:\\Users\\Administrator\\.openclaw\\workspace\\601390_chart.png'
plt.savefig(output_file, dpi=150, bbox_inches='tight')
Recommendation

Review or change the output path before running the script if you use a different operating system, workspace, or filename.