ClawHub

LG Data Stock Monitor

v1.0.6

Cloud Quant & Stock Monitor (A-share/H-share). Serverless trading alerts to Feishu/WeChat. Portfolio PnL, minute bars, and zero-friction user feedback. 自动盯盘,...

1· 122·0 current·0 all-time
by@guangfuwu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description advertise a cloud stock monitor and alerts to Feishu/WeChat; the scripts call endpoints on an LG agent service and require LG_AGENT_* credentials — this matches the stated purpose. Minor mismatch: the scripts rely on curl being available but the registry metadata lists no required binary.
Instruction Scope
SKILL.md instructs the user to set LG_AGENT_BASE_URL and LG_AGENT_TOKEN and to run the included scripts. The scripts only read the declared env vars (LG_AGENT_BASE_URL, LG_AGENT_TOKEN, LG_AGENT_COOKIE_HEADER, LG_AGENT_CSRF_TOKEN) and call the service's HTTP endpoints; they do not attempt to read other system files or exfiltrate unrelated data. Note: the default BASE_URL points to https://lg-data.cc, so if you leave LG_AGENT_BASE_URL unset your token/requests will go to that external host.
Install Mechanism
There is no install spec (instruction-only), and the included scripts are invoked directly. This keeps filesystem impact minimal. Note: the package includes executable shell scripts but does not declare curl as a required binary; running the scripts will fail or behave unexpectedly if curl is not present.
Credentials
The four required env vars correspond to authenticating against the lg-data service (Bearer token or cookie+CSRF fallback). The number and type of env vars are proportionate to the service being used. No unrelated credentials or system paths are requested.
Persistence & Privilege
always is false and the skill does not modify other skills or system-wide agent settings. It does not request permanent presence or elevated privileges.
Assessment
This package appears to be what it says: a set of shell helpers that call an LG cloud service to list data assets, execute skills, and approve pending actions. Before installing or using it, verify you trust the destination domain (default https://lg-data.cc) because your token or session cookie will be sent there. Ensure curl is available on the host (the scripts use curl but the metadata doesn't list it). Do not hard-code your LG_AGENT_TOKEN in files; use environment variables and minimal-scope tokens if possible. If you plan to run arbitrary JSON through scripts/lg_agent_exec.sh, be careful about untrusted input (passing unescaped strings into shell variables can be risky). If you want to self-host or inspect behavior, consider running the scripts in an isolated environment and reviewing network traffic to confirm endpoints and payloads.

Like a lobster shell, security has layers — review code before you run it.

latestvk979xsekgq45qx0tt0bh41s51s84hfx9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis
EnvLG_AGENT_BASE_URL, LG_AGENT_TOKEN, LG_AGENT_COOKIE_HEADER, LG_AGENT_CSRF_TOKEN

Comments