ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Qiaofuture Boston Stock King

v3.0.0

巧未来·波龙股神 - 游戏化AI选股系统。学来学去学习社出品,"有钱就有未来",支持选股、香火随喜、电话安慰、奶茶关怀

0· 69·1 current·1 all-time
by@simonstang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (gamefied stock selection + 'care' features) align with the included code: picker engines, gamification, photo/phone/milk‑tea workflows, and local data files. The skill's encouragement of donations/‘香火’ and in‑skill payment QR flow is consistent with the branding and README, so capability requests are coherent with the stated purpose. Note: financial advice disclaimer exists but promises of 'private WeChat' and preferential treatment for payers are present in code/content.
!
Instruction Scope
SKILL.md and the scripts request/encourage user photos, phone numbers, shipping addresses, and direct payments (QR images hosted on a third‑party cloud). The guide instructs users to run commands to install optional phone/tts skills and to add a payment QR image into assets and modify the script. The skill's runtime behaviour (storing PII in local JSON files, asking for photos, and instructing payment) goes beyond pure 'stock selection' and introduces privacy and social engineering surface that should be explicitly consented to by users.
Install Mechanism
No install spec is provided (instruction‑only), so there is no automatic download/install of remote executables. The package does include Python scripts (which will run if invoked) and declares pip dependencies in SKILL.md. There are no suspicious external binary downloads or URL‑extraction installers in the package metadata.
!
Credentials
The skill declares no environment variables or credentials, which is appropriate, but it collects personal data (phone numbers, addresses, photos) and stores them in local JSON files. It also promotes payment via QR images hosted on qiaofuture-1409741263.cos.ap-guangzhou.myqcloud.com — a developer‑controlled storage location. Requesting PII and soliciting money is disproportionate for a simple selection/analysis tool unless users are clearly informed which account receives payments and how PII is protected.
Persistence & Privilege
The skill does not request elevated platform privileges or always:true. It persists user data to files under scripts/data (user_profiles.json, pick_history.json, care_records.json, etc.). Persisting PII locally is normal for user profiles, but users should know data retention location and cleanup procedures. The skill does not appear to modify other skills or global agent config.
What to consider before installing
This skill implements what it promises (stock picks + gamified 'care' features) but also asks for sensitive personal data and encourages payments to QR codes hosted on the developer's cloud storage. Before installing/relying on it: - Don't submit real phone numbers, addresses, or ID photos until you confirm how the data will be used, stored, and deleted; test with dummy data first. - Inspect the payment QR images/URLs and verify whose account they belong to — treat any payment request as money sent to the developer unless proven otherwise. - Review the ai-calls-china-phone and tts optional skills before installing them (they may require call/SMS permissions and have separate costs). - If you will run the Python scripts, run them in a sandbox or isolated environment and audit the code paths that handle uploads, network calls, and file writes. - Consider legal/regulatory implications: the skill offers financial recommendations and promotional upsells; ensure you are comfortable with the disclaimers and do not treat outputs as professional investment advice. Given these privacy/payment/social‑engineering risks (but no clear malware), proceed only after verifying payment recipients and data handling practices, or prefer a version that omits PII collection and payment QR guidance.

Like a lobster shell, security has layers — review code before you run it.

latestvk971wthmdq9zpq89y3apytpk8d84730g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments