ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

A Stock Morning

v1.0.0

Sends a daily 9:45 AM summary of the A-share market open, including key indices, top sectors, volume, and trading suggestions via Feishu.

0· 61·0 current·0 all-time
by@chrislzg

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for chrislzg/a-stock-morning.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "A Stock Morning" (chrislzg/a-stock-morning) from ClawHub.
Skill page: https://clawhub.ai/chrislzg/a-stock-morning
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install a-stock-morning

ClawHub CLI

Package manager switcher

npx clawhub@latest install a-stock-morning
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description claim: send a 9:45 A-share summary via Feishu. The main script implements that (fetches Tencent index data, formats a report, sends via OpenClaw). However the script also invokes an external 'tavily_search.py' via execSync using an absolute developer path (/Users/chris/.openclaw/workspace/skills/openclaw-tavily-search). That dependency is neither documented in SKILL.md nor declared in requirements (binaries/env), so the code requires more than the stated purpose and declared requirements.
!
Instruction Scope
SKILL.md only mentions fetching Tencent API data and sending via the OpenClaw Feishu channel. The actual runtime code expands scope by running shell commands to execute a local Python script (for fund flow and sector data). SKILL.md does not document this 'Tavily' dependency or the absolute path; executing that external script is out-of-band relative to the documented instructions.
!
Install Mechanism
There is no install spec (instruction-only) which is low-risk in itself, but the code uses child_process.execSync to run external commands and expects external tools (python3 and an external local repo). Because the script executes another repository's Python script (via cd to an absolute path), it will run code not included in the package — this is high-risk behavior for an instruction-only skill.
!
Credentials
Registry metadata declares no required env vars, but README and the send routine imply use of a FEISHU_WEBHOOK or OpenClaw Feishu channel; the script calls the openclaw CLI and a python script, yet no required binaries (python3, openclaw CLI) or env variables are declared. The absolute path reference potentially touches user-specific directories and assumes a particular developer workspace, which is disproportionate and undocumented.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global config. It uses the OpenClaw CLI to send messages and cron is suggested in SKILL.md, but nothing indicates elevated or persistent platform privileges beyond normal operation.
What to consider before installing
This skill's purpose (send an A-share morning report via Feishu) is plausible and most behavior is readable, but there are red flags you should address before installing: 1) The script execs a Python script from an absolute developer path (/Users/chris/...), which will fail for most users and — importantly — will run code not included in the package. Ask the author what that dependency is, request they bundle or document the tavily script (and avoid absolute paths). 2) The package declares no required binaries or env vars, yet it uses the openclaw CLI and python3 and expects a Feishu webhook/config; require these to be documented (FEISHU_WEBHOOK, python3, openclaw CLI). 3) execSync runs shell commands; unknown Python scripts could exfiltrate or run arbitrary operations. If you still want to use it: run it in a sandboxed environment, inspect the external python script's source before allowing execution, or ask the author to remove shell-exec of external repos and replace with documented API calls or bundled code. If the author cannot justify or fix the tavily dependency and the absolute paths, treat the skill as risky and do not grant it access to production credentials or sensitive environments.
scripts/morning-summary.mjs:86
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cf55eh70m363jwrtz4z9z7n84tae0
61downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
@chrislzg
latest
Download

A股早盘提醒

每个A股开盘日 9:45 通过飞书发送当日开盘情况总结。

触发条件

  • 时间:每交易日 9:45(周一至周五)
  • 时区:Asia/Shanghai
  • 注意:节假日需额外判断

内容

  • 上证指数、深证成指、创业板指
  • 沪深300指数
  • 涨跌分布统计
  • 热门板块 Top 5
  • 成交额
  • 操作建议

实现

使用腾讯股票 API 获取实时数据:

  • 指数: https://qt.gtimg.cn/q={code}

发送

通过 OpenClaw 飞书通道发送给用户。

使用方法

# 仅生成报告
node scripts/morning-summary.mjs

# 生成并发送到飞书
node scripts/morning-summary.mjs --send

Cron 定时任务

设置每天 9:45 执行(OpenClaw 会自动判断是否为交易日):

openclaw cron add "45 9 * * 1-5" --skill a-stock-morning -- --send

Comments

Loading comments...