ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

A Stock Leader Identification 1.0.0

v1.0.0

快速找到板块内的"真龙",识别龙头股。用于A股短线交易选股。

0· 26·1 current·1 all-time
by@xuyp20060323
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description and the SKILL.md align: both describe heuristics for identifying leading A-share (A股) short-term stocks. The skill requests no binaries, env vars, or installs, which is proportionate for an instruction-only heuristic. However, _meta.json contains a different ownerId/slug than the registry metadata provided, an unexplained packaging inconsistency that could indicate sloppy publishing or a copy-paste error.
Instruction Scope
The SKILL.md contains only high-level rules and a simple workflow (find first limit-up in a sector, check order size, turnover, themes). It does not instruct reading local files, environment variables, or external endpoints explicitly. That said, it is vague on how to obtain market data (which APIs/feeds to use) and therefore grants the agent broad discretion at runtime to query external services or fetch data — a potential operational risk if the agent is allowed network access or to use third-party API keys.
Install Mechanism
No install spec and no code files — instruction-only. There is nothing written to disk by the skill itself and no third-party packages are pulled in by an installer.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. There is no apparent need for secrets or cloud credentials to perform what the instructions describe.
Persistence & Privilege
always:false and user-invocable:true. The skill does not request permanent presence or elevated privileges. Autonomous model invocation is allowed by platform default but is not combined here with other high-risk factors.
What to consider before installing
This skill is essentially a short, human-readable checklist of heuristics for spotting sector leaders and does not request credentials or install code — that's good. However: (1) the package metadata appears inconsistent (ownerId/slug mismatch in _meta.json), which is a publishing red flag you may want to verify with the source; (2) the instructions are high-level and do not specify trusted data sources or APIs, so if you let your agent run this skill and it has network access it may call arbitrary market data endpoints — confirm which data feeds it will use and whether API keys are needed; (3) this is trading guidance, not guaranteed investment advice — consider limiting the agent's ability to execute trades automatically and review any actions before they are taken. If you proceed, verify the skill's publisher and restrict network/credential access for the agent until you trust the data sources it will use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a45791rxjgpz64am6628pf184z75r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments