Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
TZZB Analyzer - Tonghuashun Portfolio Analyzer
v2.4.0同花顺投资账本持仓分析工具。自动从同花顺投资账本读取持仓、自选股、交易记录,结合市场行情生成深度分析报告,支持板块分布、风险监控和阈值报警。
⭐ 0· 55·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (Tonghuashun portfolio analyzer) align with included code: scripts fetch positions/trades/watchlist via Playwright/CDP and generate reports/alerts. Requiring a Chrome debug endpoint and Playwright is expected for a scraper that uses the user's logged-in browser session.
Instruction Scope
Runtime instructions tell the agent to connect to a local Chrome remote-debugging endpoint and run the provided Python scripts — that matches the code. However, cookie_extractor.py calls context.cookies() as a fallback (without restricting URLs) which can return cookies for the whole browser context if the targeted cookies aren't found; attaching to a user's existing Chrome via CDP therefore carries risk of accessing unrelated cookies/tokens. The SKILL.md does not explicitly warn about broad cookie access or instruct the user to use an isolated user-data-dir and to verify login is in that profile.
Install Mechanism
No remote download/install spec; dependencies are standard (Playwright, python-dotenv) and SKILL.md instructs running 'playwright install chromium'. No unusual upstream URLs or archive extraction steps were found.
Credentials
The skill only declares CHROME_DEBUG_URL as a required env var, which fits the purpose. But the code also reads optional env vars (CHROME_PATH, CHROME_USER_DATA_DIR, CHROME_KILL_EXISTING, CHROME_USER_DATA_DIR) and can auto-start Chrome or kill existing Chrome when certain env vars are set — these behaviors are powerful and should be noted. More importantly, the skill's cookie extraction requires access to a logged-in browser profile, which is a high-privilege action (it reads session cookies). While necessary to access the user's tzzb account, this is sensitive and proportional only if the user intentionally allows a dedicated browser profile or user-data-dir to be used.
Persistence & Privilege
always is false. The skill writes only to its own memory/ and data/ directories (monitor_state.json, cached positions, generated reports). It does not modify other skills or system-wide agent settings.
What to consider before installing
This skill needs access to your Chrome debugging endpoint so it can drive your logged-in browser and extract the Tonghuashun session cookies — that is how it reads your holdings, but it is a high-privilege operation. Before installing: 1) Understand that the skill can access browser cookies and pages when it connects to your browser via CHROME_DEBUG_URL. 2) Use an isolated Chrome user-data directory/profile (set CHROME_USER_DATA_DIR) or start a dedicated Chrome instance for this tool so it doesn't attach to your everyday browser profile. 3) Do not set CHROME_KILL_EXISTING unless you want the skill to forcibly terminate Chrome processes. 4) Review the included scripts (especially scripts/tzzb_parser/cookie_extractor.py and main.py) yourself if possible; pay attention to any code paths that call context.cookies() without URL restrictions. If you are uncomfortable granting that level of access, do not install or run the skill. If you proceed, run it in a sandboxed environment or an isolated browser profile to limit exposure.Like a lobster shell, security has layers — review code before you run it.
analyzervk97bex27bxzp6vwkyhe1s4zyan83jy14latestvk97bex27bxzp6vwkyhe1s4zyan83jy14portfoliovk97bex27bxzp6vwkyhe1s4zyan83jy14stockvk97bex27bxzp6vwkyhe1s4zyan83jy14tzzbvk97bex27bxzp6vwkyhe1s4zyan83jy14
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📊 Clawdis
Binspython, uv
EnvCHROME_DEBUG_URL