Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
StockIndexMonitor
v1.0.0全功能智能股票监控预警系统。支持成本百分比、均线金叉死叉、RSI超买超卖、成交量异动、跳空缺口、动态止盈等7大预警规则。符合中国投资者习惯(红涨绿跌)。
⭐ 0· 50·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md claims a full, always-running stock monitor with data, alerts, and news analysis, but the skill bundle contains no code, no install spec, no binaries, and no declared data/API credentials. A legitimate implementation would need market-data sources or broker/API keys and some executable code; those are missing.
Instruction Scope
Runtime instructions tell the agent/user to cd into ~/workspace/skills/stock-monitor/scripts and run ./control.sh start/status/log/stop. The package contains no scripts. Directing execution of a local control.sh (which may not exist) is vague and could cause an agent or user to create/execute arbitrary shell scripts — a scope mismatch and potential operational risk.
Install Mechanism
There is no install spec (instruction-only), which normally reduces risk. However, because the instructions expect a local persistent process (control.sh) but the bundle provides no code or source to install, it is unclear how the runtime assets are obtained — this ambiguity increases risk if the agent or user fetches code from an untrusted location.
Credentials
The skill declares no required environment variables or credentials. Real-world monitoring (market data, news APIs, or trading) typically requires API keys or service credentials; their absence is an inconsistency (either omitted or expected to be supplied later interactively). This could lead to ad-hoc credential requests or insecure behavior.
Persistence & Privilege
The instructions expect running a background/daemon process under the user's workspace, which implies file creation and persistent execution. The skill does not request platform-wide privileges or set always:true, but persistent local processes can still have impact; the skill gives no guidance on where code comes from or what user account it should run under.
What to consider before installing
This skill claims a full stock-monitoring daemon but provides no code, install steps, or data sources — and asks you to run a local ./control.sh that isn't included. Before installing or following these instructions: (1) Ask the publisher for the actual source code or an install package and a provenance (GitHub repo, release URL, checksum). (2) Request explicit details of what market-data APIs or news endpoints it uses and what credentials (if any) are required. (3) Never run an unknown control.sh: inspect its contents first; run it in a sandbox or throwaway VM as a non-privileged user. (4) If the skill will fetch code at runtime, require signed releases from a trusted host. (5) If you plan to provide API keys, only give the minimum-scoped keys and verify network endpoints the skill uses. Given the missing pieces, do not run any start scripts or grant credentials until the author supplies source code and a clear install plan.Like a lobster shell, security has layers — review code before you run it.
latestvk973sb97egakkc8rxg6z4kmj6h83g2p5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.