ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ETF投资助理

v1.0.1

ETF投资助理 / ETF Investment Assistant - 查询行情、筛选ETF、对比分析、定投计算。支持沪深300、创业板、科创50、纳指等主流ETF。

11· 3.6k·12 current·14 all-time
by@franky0617
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill name/description (ETF queries, screening, DCA calc) aligns with the provided shell script and SKILL.md. Minor inconsistency: the package metadata declares no required binaries, but the script invokes external tools (curl, python3, bc, grep/sed/sort). These are common system tools and consistent with the stated functionality, but the metadata should have listed them.
Instruction Scope
SKILL.md describes CLI commands that match the behavior implemented in etf-assistant.sh. Runtime instructions and code only fetch public market data from Yahoo Finance and perform local calculations/searches; they do not read arbitrary files, access credentials, or transmit data to unexpected endpoints.
Install Mechanism
No install specification (instruction-only) and the shipped shell script is run locally. No downloads, package installs, or archive extraction are performed by the skill itself.
Credentials
The skill requests no environment variables or credentials. It does make outbound requests to Yahoo Finance as documented in SKILL.md; no secrets are required or used.
Persistence & Privilege
always:false (default) and there is no code that modifies other skills or system-wide configuration. The skill runs when invoked and does not request permanent elevated presence.
Assessment
This skill appears coherent and focused on ETF lookups and simple calculations. Before installing: note that it runs a local shell script which expects standard tools (curl, python3, bc, grep/sed). It will make network requests to Yahoo Finance (public endpoints) to fetch quotes. It does not request any credentials or write system files. If you require strict offline or no-network operation, do not install. Also consider that minor bugs (e.g., small string-handling issues) may exist in the script, but there are no indications of malicious behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk976qar97w2mbwfkb93dd8mzph806cnk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments