Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
智能投资简报生成器
v1.0.1股票分析 AI 工具 | 智能投资简报生成器 - 自动生成个股分析报告、市场热点追踪、持仓监控。支持 A股/港股/美股,实时股价查询,技术分析,研报生成。一键生成专业 Markdown 投资报告。
⭐ 0· 118·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description, required binary (node), and the single required env var (TAVILY_API_KEY) line up with a Tavily-backed stock briefing tool. The code uses Tavily credentials and Node.js only — nothing requests unrelated cloud credentials or surprising system access.
Instruction Scope
The runtime script invokes a separate script at ~/.openclaw/skills/tavily-search/scripts/search.mjs via child_process.execSync to perform searches. This is coherent if the author intended to reuse a local 'tavily-search' skill, but SKILL.md does not document this dependency. The use of execSync with a constructed command line (including user-provided query text) exposes potential command-line injection risks if inputs are not controlled; inputs are not explicitly sanitized in the script.
Install Mechanism
There is no install spec (instruction-only plus one JS script included). Nothing is downloaded from external URLs or written to nonstandard locations during install, which is low-risk from an install mechanism perspective.
Credentials
Only TAVILY_API_KEY is required and declared as the primary credential, which is proportional to the described functionality. The script does read HOME to locate another skill, but it does not request additional secrets or unrelated environment variables.
Persistence & Privilege
always is false and the skill does not attempt to alter other skills or system-wide configuration. It does execute a local script but does not request permanent presence or elevated platform privileges.
Assessment
This skill appears to do what it claims: generate stock reports using Tavily. Before installing or running it, check that you (1) actually have a valid TAVILY_API_KEY and are comfortable providing it to the skill, (2) verify whether you have or want the dependent skill ~/.openclaw/skills/tavily-search/scripts/search.mjs — if that file is missing the tool will fail, and if it's present you should review it to ensure it doesn't perform unexpected network calls or exfiltrate data, (3) be aware the script uses child_process.execSync to run the search script with user-supplied queries; avoid passing untrusted/unsanitized input and consider running it in a sandboxed environment, and (4) confirm Node.js 18+ is used. If you want higher assurance, open and review the referenced tavily-search script (or replace the exec call with a direct API client) and test with a throwaway API key first.scripts/generate-brief.mjs:90
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97ceatyx73sg61abhe3nm4tgn83aa6j
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📈 Clawdis
Binsnode
EnvTAVILY_API_KEY
Primary envTAVILY_API_KEY