ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

my_stock_tradeagents_rebuild_skill

v1.0.3

当且仅当用户明确提出“重新构建tradeagents”或类似高度相关指令时触发。主要功能为在 ~/TradingAgents 目录下重新创建并激活 Python 虚拟环境,安装包及依赖,最后总结修改并推送到远程仓库。

0· 154·2 current·2 all-time
by@canonxu

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for canonxu/my-stock-tradeagents-rebuild-skill.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "my_stock_tradeagents_rebuild_skill" (canonxu/my-stock-tradeagents-rebuild-skill) from ClawHub.
Skill page: https://clawhub.ai/canonxu/my-stock-tradeagents-rebuild-skill
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install my-stock-tradeagents-rebuild-skill

ClawHub CLI

Package manager switcher

npx clawhub@latest install my-stock-tradeagents-rebuild-skill
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md behavior (cd ~/TradingAgents, rm -rf venv, python3.13 -m venv, pip install ., git add/commit/push) is consistent with the described purpose, but metadata and declarations are inconsistent: skill.json's description references conda while SKILL.md uses venv, skill.json slug/author differ from registry owner, version numbers mismatch, and the skill declares no required binaries even though it relies on python3.13, git, and shell utilities. These mismatches are unexplained and reduce trust.
!
Instruction Scope
Instructions perform destructive local actions (rm -rf venv) and repository-wide operations (git add .; git commit; create branch; git push) automatically with no safety checks, diffs, or user confirmation beyond the initial trigger phrase. This can commit and push any files in ~/TradingAgents (including secrets/configs) to the remote. The SKILL.md requires operations be within ~/TradingAgents, which limits scope, but there are no additional safeguards.
Install Mechanism
Instruction-only skill with no install spec or code files — lowest install risk. The scanner had no files to analyze. However, absence of an install spec means required runtime binaries (python3.13, git) are assumed available but not declared.
!
Credentials
The skill declares no required environment variables or credentials, yet it will push to a Git remote — which requires authentication (SSH keys, credential helpers, or stored tokens). The skill also assumes python3.13 exists. Not declaring these requirements is disproportionate and hides the fact that repository contents (potentially sensitive) may be transmitted to a remote server.
Persistence & Privilege
always:false and the skill does not request persistent privileges or attempt to modify other skills or global agent settings. Autonomous invocation is allowed (platform default); while not flagged on its own, combined with automatic push/commit behavior this increases potential blast radius.
What to consider before installing
Before installing or invoking this skill: (1) Note the inconsistencies in packaging (skill.json vs SKILL.md and owner/slug/version mismatches) — ask the publisher to clarify. (2) Understand the skill will run rm -rf venv, build/install packages, then git add/commit and push everything in ~/TradingAgents without further confirmation — audit the repo for secrets and make backups/clones first. (3) Ensure python3.13 and git are present and your Git authentication is configured (or expect pushes to fail/occur using existing credentials). (4) If you want safer behavior, request the skill be changed to: prompt for confirmation before committing/pushing, show a git diff/status, and declare required binaries and credential usage explicitly. If any of the inconsistencies or automatic push behavior is unacceptable, do not install or run this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk979varxb0tjfc9dshda9hwe5d83xdxn
154downloads
0stars
4versions
Updated 4w ago
v1.0.3
MIT-0
@canonxu
latest
Download

my_stock_tradeagents_rebuild_skill (重建 TradingAgents 环境技能)

核心规则与触发条件

  • 触发条件:只有当用户明确说出“重新构建tradeagents”或类似明确的指令时才触发该技能。
  • 环境要求:所有的操作必须在 ~/TradingAgents 目录空间下执行。

工作流程

1. 切换工作空间

强制要求所有操作都在 ~/TradingAgents 目录下进行。

cd ~/TradingAgents

2. 重建 Python 虚拟环境

为了保证环境纯净,如果 venv 目录已存在,则删除并重新创建。

# 删除旧环境
rm -rf venv

# 创建新环境 (使用系统 python3.13)
python3.13 -m venv venv

# 激活环境
source venv/bin/activate

3. 安装依赖与包

使用虚拟环境内的 pip 安装当前目录下的包以及所有依赖。

./venv/bin/pip install --upgrade pip
./venv/bin/pip install .

4. 总结代码修改并推送到远程

分析当前空间(~/TradingAgents)内文件的修改情况,提交变更并推送到远程 Git 仓库:

git add .
git commit -m "Auto-commit: 重新构建 TradingAgents 环境并更新相关文件"
BRANCH_NAME="feature/rebuild-$(date +%Y%m%d%H%M%S)"
git checkout -b $BRANCH_NAME
git push origin $BRANCH_NAME

Comments

Loading comments...