Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Daily Stock Analysis v2.1
v2.1.0LLM驱动的每日股票分析系统完整版 v2.1。支持A股/港股/美股智能分析、决策仪表盘、大盘复盘、板块分析、Agent问股、多渠道推送。提供技术面+基本面综合分析。触发词:股票分析、分析股票、每日分析、大盘复盘、板块分析、问股。
⭐ 0· 64·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (daily stock analysis, multi-market, AI recommendations, multi-channel push) match the code and runtime instructions. The skill relies on akshare, optional OpenAI/Gemini, and push webhooks — all sensible for the stated functionality. One minor inconsistency: the registry metadata declares no required config paths or credentials, but the SKILL.md and code expect a local config.json (copied from config.example.json) containing API keys/webhook tokens; this is a documentation/metadata omission rather than malicious behavior.
Instruction Scope
SKILL.md instructs installing Python dependencies, creating/editing config.json, and running the included scripts or scheduling daily_push via cron. The runtime instructions and code only reference market data, AI provider endpoints (via provided API key), and configured push endpoints. I found no instructions that ask the agent to read unrelated system files or transmit arbitrary local data.
Install Mechanism
There is no automated install spec; SKILL.md asks the user to pip install listed dependencies (akshare, pandas, numpy, requests, openai, yfinance). Dependencies come from PyPI (no arbitrary downloads or extracted archives). This is a low-to-moderate risk pattern but proportionate to the skill.
Credentials
The skill does not declare required environment variables in the metadata, but it expects API keys and webhook tokens to be placed into config.json (ai.api_key, tushare_token, feishu_webhook, telegram_token, email_password, etc.). These credentials are proportional to the functions (AI calls, market data, pushes). The code also respects HTTPS_PROXY for Gemini calls. Users should be aware that enabling push channels requires adding tokens/passwords to config.json stored on disk.
Persistence & Privilege
always is false and the skill does not request elevated platform privileges. It will run network requests when invoked (including autonomous invocation, which is the platform default). The skill does not attempt to modify other skills or global agent settings.
Assessment
This skill appears to be what it claims: a local Python-based stock analysis tool that fetches market data, optionally calls an LLM provider, and can push reports to configured channels. Before installing or enabling it:
- Review and edit config.example.json carefully; only add API keys/webhooks you trust and keep config.json private (it's stored on disk).
- Only enable push channels (Feishu, Telegram, Discord, email) if you trust those webhook URLs/tokens — the skill will send report data to them.
- Consider running the skill in an isolated environment or container and avoid placing high-privilege credentials (e.g., cloud admin keys) into config.json.
- Inspect notifier and update scripts (setup.sh / update.sh / run.sh) before executing them; the package does not include an automated installer but does provide shell scripts — running arbitrary scripts can change your system.
- If you plan to use the AI features, supply an API key for only the provider you intend to use and monitor usage.
If you want extra assurance, request the full contents of the remaining truncated files (setup.sh, notifier.py, update.sh, run.sh, and any omitted modules) so they can be reviewed for any hidden network endpoints or shell commands.Like a lobster shell, security has layers — review code before you run it.
AIvk970yseqvhysh7h0ecep8h5shh83vv7ffinancevk970yseqvhysh7h0ecep8h5shh83vv7flatestvk970yseqvhysh7h0ecep8h5shh83vv7fquantvk970yseqvhysh7h0ecep8h5shh83vv7fstockvk970yseqvhysh7h0ecep8h5shh83vv7f
License
MIT-0
Free to use, modify, and redistribute. No attribution required.