ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

M估值法

v1.0.0

基于ROIC和CAPM的5步股票估值方法,提供资格筛选、内在价值计算及风险与情景分析。

0· 344·1 current·1 all-time
by@oldhouse-g
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to perform ROIC/CAPM valuation using Tushare and 'Tavily' search. However, the code embeds a hardcoded TAVILY_API_KEY and a hardcoded Tushare pro token (pro_api call) instead of declaring required credentials. The manifest declares no required env vars or binaries, but the script clearly depends on the 'tushare' Python package, the 'node' binary, and a local Node script at an absolute path (/root/.openclaw/workspace/skills/tavily-search/scripts/search.mjs). Those dependencies and credentials are not reflected in the skill metadata and are disproportionate to what the SKILL.md states.
!
Instruction Scope
SKILL.md instructs the agent to run the included Python script for valuation (in-scope). The script however invokes external Node search scripts via subprocess (sending text queries to a tavily-search script), sets an API key in the environment at runtime, and uses a hardcoded Tushare API token. The code thus performs network searches and remote API calls beyond the single-step valuation described in the SKILL.md; it also relies on a specific local filesystem layout (/root/...) which is not documented. While these actions could be legitimate for data collection, they expand the runtime scope without being declared.
!
Install Mechanism
There is no install spec but the code depends on external tooling: 'node' and a local Node script, plus the 'tushare' Python package. The manifest lists no required binaries or packages. The skill therefore risks failing or invoking unexpected local scripts/executables (absolute /root path). No package provenance or install safety is provided.
!
Credentials
The skill declares no required environment variables or credentials, yet the code sets os.environ['TAVILY_API_KEY'] to a literal API key and calls ts.pro_api(...) with a hardcoded token. Hardcoded credentials are a red flag: they may be leaked/stolen credentials or tie API usage to the author's account. The script overwrites/sets an env var at process startup without declaring it, and it does not provide a way to supply the user's own credentials via declared env vars.
Persistence & Privilege
The skill does not request persistent installation (always: false) and does not appear to modify system-wide settings or other skills. It does set an environment variable only within the process and invokes subprocesses. That limits persistence, but the subprocesses call remote services and depend on local scripts, increasing runtime risk. No evidence of writing persistent credentials or altering other skills was observed in the provided files.
What to consider before installing
This skill likely implements the advertised valuation method, but it has several red flags you should address before installing or running it: (1) The Python file contains hardcoded API keys (a TAVILY_API_KEY and a Tushare pro token). Do not run it if you do not trust these keys or their owner — they may be tied to someone else’s account or be abused. (2) The script calls a Node script at an absolute path (/root/.openclaw/.../tavily-search/scripts/search.mjs) and requires the 'node' binary and the 'tushare' Python package, none of which are declared in the manifest. Confirm those dependencies and that the referenced Node script is legitimate. (3) Prefer that the author remove hardcoded credentials and instead accept user-provided API keys via declared env vars, and explain/install required binaries. (4) If you want to test it: run in an isolated sandbox/container, monitor network calls, and replace the embedded tokens with your own keys (or delete them) before using. Ask the publisher to (a) declare required binaries and env vars, (b) remove or justify embedded keys, and (c) avoid absolute /root paths so the skill is portable and auditable.

Like a lobster shell, security has layers — review code before you run it.

investmentvk97600rqmynzfc7wgenkvfqx8n826ddrlatestvk97600rqmynzfc7wgenkvfqx8n826ddrstockvk97600rqmynzfc7wgenkvfqx8n826ddrvaluationvk97600rqmynzfc7wgenkvfqx8n826ddr
344downloads
0stars
1versions
Updated 7h ago
v1.0.0
MIT-0
@oldhouse-g
investmentlateststockvaluation
Download

M估值法

基于ROIC和CAPM的股票估值方法,由蟹老板创建。

概述

完整的5步股票估值分析框架:

  1. 资格筛选(ROIC > w)
  2. 核心参数计算
  3. 内在价值计算
  4. 估值决策与风险分析
  5. 情景分析

使用方法

当用户说"用M估值法分析[股票]"时,使用此skill:

python3 ~/.openclaw/workspace/skills/m-valuation/valuation.py <股票代码> [名称]

# 示例
python3 ~/.openclaw/workspace/skills/m-valuation/valuation.py 000333 美的集团
python3 ~/.openclaw/workspace/skills/m-valuation/valuation.py 600036 招商银行

触发词

  • "M估值法"
  • "用M估值法分析"
  • "M估值"

数据来源

  1. Tushare API - A股财务数据
  2. Tavily搜索 - 获取β系数、非A股数据

核心公式

  • w = Rf + β × (Rm - Rf)
  • d = 分红率 = D₀/E
  • g = (1-d) × ROIC
  • PE = d × (1+g) / (w - g)
  • 预期收益率 = 股息率 + g

输出内容

  • 资格筛选结果
  • 核心参数(股息率、预期收益率)
  • 内在价值
  • 风险分析(股息风险、成长风险)
  • 情景分析(零增长/3%增长PE)
  • 投资建议

Comments

Loading comments...