warn
suspicious.destructive_delete_command
- Location
- README.md:42
- Finding
- Documentation contains a destructive delete command without an explicit confirmation gate.
恢恢量化 A股数据助手
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.destructive_delete_command
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
When relevant A-share questions are asked, the agent may run local Python scripts through Bash to retrieve and format data.
Why it was flagged
The skill grants the agent Bash access to run bundled Python scripts. This is disclosed and central to the market-data purpose, but users should notice that invocation uses a broad local command tool.
Skill content
tools: ["Bash"] ... 所有脚本位于本 skill 目录下 `scripts/`,用 Bash 工具运行 ... python3 "$SKILL_DIR/fetch_snapshot.py"
Recommendation
Install only if you are comfortable with the agent using Bash for these bundled scripts; keep invocation tied to the documented market-data tasks.
What this means
If a user follows the README instead of registry installation, they are trusting the current GitHub branch contents and the scoped deletion command.
Why it was flagged
The manual install path fetches the current GitHub repository state and replaces the existing skill directory. This is user-directed and scoped, but it is not pinned to a commit.
Skill content
git clone --depth 1 https://github.com/Niceck/hhxg-top-hhxg-python.git /tmp/hhxg-market && \ rm -rf ~/.openclaw/skills/hhxg-market && \ mv /tmp/hhxg-market ~/.openclaw/skills/hhxg-market
Recommendation
Review the repository before manual installation, consider pinning a trusted commit, and verify the rm -rf path before running the command.
What this means
The assistant may show cached public market data if hhxg.top is unreachable, which could be stale.
Why it was flagged
Fetched provider data is cached locally and reused when the network is unavailable. The cached content appears to be public market/news data, not private user data.
Skill content
CACHE_DIR = os.path.expanduser("~/.cache/hhxg-market") ... _save_cache(cache_file, data)Recommendation
Check the displayed date/cache warning when using results, and clear ~/.cache/hhxg-market if you do not want cached provider data retained.