ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

A Stock Daily Express

v1.0.0

📈 A股每日快报自动生成 - 自动获取今日大盘行情、涨跌排名、热点板块,一键生成小红书/公众号文章,直接就能发。炒股懒人必备,每天省你半小时整理时间。

0· 57·0 current·0 all-time
by@rudagebil11-jpg
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose is generating A‑share daily reports and the code indeed fetches market data and generates platform-specific text. However the manifest/metadata claim no required binaries or env vars while the implementation invokes the system 'python' interpreter and requires the Python package 'akshare' (SKILL.md mentions pip install akshare). Declaring Python (or a runtime requirement) in the metadata would be expected but is missing.
Instruction Scope
SKILL.md describes only fetching market data (akshare/Eastmoney), analyzing and generating reports — that matches the code. The runtime JS uses child_process.execSync to run an embedded Python snippet; the snippet does not use user-supplied input and only calls akshare functions. There is no obvious file-reading or credential access beyond network calls to retrieve market data. The pre-scan found unicode-control-chars in SKILL.md which could indicate hidden characters intended to manipulate LLM processing; this should be investigated.
Install Mechanism
There is no formal install spec in the registry, but SKILL.md tells users to pip install akshare and npx to install the skill. The code relies on a local Python interpreter and akshare from PyPI (standard but not declared). No third-party binary downloads or obscure URLs are used. Risk is moderate because execSync will run system 'python', so you should ensure that Python/akshare come from a trusted environment (virtualenv/container).
Credentials
The skill requests no environment variables, no credentials, and no config paths. That is proportional for a data-fetch-and-format tool. The only external dependency is akshare (which fetches market data from public sources).
Persistence & Privilege
The skill does not request persistent/always-on privileges, doesn't modify other skills, and has no special agent-wide settings. default autonomous invocation is allowed but not combined with other privilege concerns.
Scan Findings in Context
[unicode-control-chars] unexpected: The SKILL.md was flagged for embedded Unicode control characters. This is not expected for a simple README/instructions and could be an attempt to alter LLM parsing or hide content. The rest of the files are plain JS/JSON with no obvious obfuscation.
What to consider before installing
What to check before installing: - Verify Python is installed and comes from a trusted source; the skill calls the system 'python' and runs akshare (pip install akshare is required). Use a virtualenv or container to isolate that installation. - akshare fetches/scrapes public Chinese finance sites (Eastmoney, etc.); expect network access. If you must limit network or third-party access, run in a restricted environment. - The Node code uses child_process.execSync to run a Python -c string. Although the current code embeds a static Python snippet (no user input passed into the Python command), execSync increases risk if the skill is modified. Inspect scripts/daily-generator.js yourself; consider running it locally in a sandbox first. - The SKILL.md was flagged for hidden unicode control characters. View the file in a hex/raw editor or re-download from a trusted source to ensure no invisible characters are present that could affect LLM processing. - Author and homepage are unknown. If you need higher assurance, ask the author for provenance, or prefer a skill with a verifiable source (GitHub repo, maintainer identity). If you decide to proceed: install akshare in an isolated environment, inspect the code, and run one test invocation rather than enabling it for broad autonomous use.
scripts/daily-generator.js:45
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk972x8s5y8skan6sahzgdwy5rh83rhmb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments