Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
A股模拟账户交易
v1.0.1A股模拟盘交易与回测技能。Use when 用户要启动模拟仓服务、创建多账户、下限价单/市价单、撤单、查询持仓资金、验证涨跌停成交逻辑或运行A股回测。
⭐ 0· 77·0 current·0 all-time
bycalm@shouldnotappearcalm
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, CLI and HTTP routes match the included code: a local paper‑trading engine, server, CLI and backtest/validation scripts. The files and runtime instructions are coherent with the stated purpose.
Instruction Scope
SKILL.md instructs how to run the service, CLI and install a user launchd agent and documents DB/log locations. However several included validation/backtest scripts call MarketDataProvider (paper_trading.market_data) to load real quotes; SKILL.md does not document any network activity or external API use. The server binds to 127.0.0.1 by default (good), but if the MarketDataProvider performs remote HTTP calls or requires credentials this is not reflected in the instructions and broadens the runtime scope.
Install Mechanism
There is no external install step or remote download: the package is instruction + code files. The control script launches the service via subprocess and can install a user LaunchAgent on macOS; nothing downloads arbitrary code from unknown URLs.
Credentials
The skill declares no required environment variables or credentials, which fits a local simulator. But the MarketDataProvider and validation scripts (real_stock_rule_validation.py, backtest_batch_validation.py) may fetch live market data or expect API keys — if that code uses network APIs or env vars for credentials, those are not declared here and should be verified.
Persistence & Privilege
always:false and agent invocation is normal. The skill writes a SQLite DB and log under user-level application data directories and can install a macOS LaunchAgent (~/Library/LaunchAgents) to auto-start the service; installing the LaunchAgent is optional but would make the service persistent in the user account.
What to consider before installing
This package appears to implement a local A‑share paper trading server and CLI as described, but before installing or running it you should: 1) Inspect scripts/paper_trading/market_data.py to see whether it performs network calls or expects API keys (and where it sends data). 2) Do not install the LaunchAgent (install‑launchd) until you review the launch plist and confirm you want a user‑level service started at login. 3) Run the service in an isolated environment (temporary user or container) first — it will create a SQLite DB and logs under your home directory. 4) If you plan to run validation/backtest scripts, be aware they may access real market data and could require network access or credentials not declared in SKILL.md. 5) Review any code that calls subprocess/urllib for external endpoints and confirm no unexpected telemetry or exfiltration. If you want, provide the contents of scripts/paper_trading/market_data.py and I can review it for external network calls or hidden credential usage.Like a lobster shell, security has layers — review code before you run it.
a-sharevk978hf9xykxe25qvbd9p9p70d584j5njbacktestvk978hf9xykxe25qvbd9p9p70d584j5njlatestvk9728e94bp0n7w094fjz66wjtn84vbf0paper-tradingvk978hf9xykxe25qvbd9p9p70d584j5njsimulationvk978hf9xykxe25qvbd9p9p70d584j5nj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.