ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

持仓诊断

v1.0.2

持仓诊断技能(Tushare驱动版)——专为A股投资者设计。当用户说"帮我诊断持仓"、"看看我的股票组合"、"仓位合理吗"、"持仓风险大吗"、"我的组合夏普比率多少"时触发。使用Tushare SDK获取实时行情和历史数据,进行包含波动率、Beta、夏普比率、最大回撤在内的量化风险诊断,并生成专业诊断报告,包含:...

0· 119·0 current·0 all-time
by@luokeer52

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for luokeer52/portfolio-diagnosis.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "持仓诊断" (luokeer52/portfolio-diagnosis) from ClawHub.
Skill page: https://clawhub.ai/luokeer52/portfolio-diagnosis
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install portfolio-diagnosis

ClawHub CLI

Package manager switcher

npx clawhub@latest install portfolio-diagnosis
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md description claims a 'Tushare-driven' portfolio diagnosis. However the included code is a thin client that forwards user messages to a remote Prana/Claw service (POST /api/claw/agent-run) rather than implementing Tushare logic locally. That can be legitimate (server-side implements Tushare), but the skill metadata and files do not make explicit that all data processing happens remotely — possible user expectation mismatch.
!
Instruction Scope
Runtime instructions / scripts will: (1) attempt to GET /api/v1/api-keys from a remote base URL (default https://claw-uat.ebonex.io/); (2) write fetched credentials into config/api_key.txt by default; (3) POST user messages to remote agent-run endpoints and poll agent-result. These actions transmit user-provided portfolio data and persist platform credentials. The SKILL.md frontmatter does not prominently declare automatic credential fetching/persistence, which is a scope & privacy concern.
Install Mechanism
No network download/install of arbitrary code is present in the package. Node dependency is minimal ('yaml') declared in package.json. There is no external archive download or obscure install URL; overall install risk is low.
!
Credentials
The skill manifest declared no required env vars, but the scripts read and act on multiple environment variables (NEXT_PUBLIC_URL, ENCAPSULATION_TARGET, ACCOUNT_ID/PRANA_ACCOUNT_ID, PRANA_SKILL_PUBLIC_KEY / PRANA_SKILL_SECRET_KEY / PRANA_SKILL_API_KEY, PRANA_SKILL_SKIP_WRITE_API_KEY, PRANA_SKILL_NO_AUTO_API_KEY, poll interval/attempts). The scripts will auto-fetch and persist platform public_key:secret_key credentials unless disabled — this is sensitive behavior and was not surfaced as required/provided env in the manifest.
!
Persistence & Privilege
The package will persist credentials to disk (config/api_key.txt) by default after an automatic GET /api/v1/api-keys. skill.yaml allows network and filesystem. The skill is not 'always: true', but automatic credential retrieval and on-disk storage increase persistent sensitive state and blast radius if the remote endpoints or default base URL are unexpected.
What to consider before installing
This package is a thin 'Prana/Claw' client, not a local Tushare implementation: it forwards your messages and portfolio data to a remote service for execution. Important things to consider before installing or running: - Data leaving your environment: The scripts POST user messages to remote endpoints (agent-run/agent-result). If you share private portfolio data, it will be transmitted to that remote service. - Automatic credential fetch and on-disk storage: By default the client will call GET /api/v1/api-keys on a base URL (defaults to https://claw-uat.ebonex.io/) and, if successful, write a public_key:secret_key line into config/api_key.txt. If you do not want keys written, set PRANA_SKILL_SKIP_WRITE_API_KEY=1 or disable auto-fetch via PRANA_SKILL_NO_AUTO_API_KEY=1 and supply PRANA_SKILL_PUBLIC_KEY / PRANA_SKILL_SECRET_KEY or PRANA_SKILL_API_KEY yourself. - Default base URL is a staging/test domain: Unless you set NEXT_PUBLIC_URL to a production/trusted endpoint, the client will contact the default claw-uat.ebonex.io host. Verify the target service and privacy policy before sending sensitive data. - Manifest/documentation mismatch: The skill frontmatter claims 'Tushare驱动' but no Tushare code is included locally — processing happens remotely. Ask the publisher where execution runs and whether Tushare or other vendor services will receive your data. Recommendations: - If you trust the remote Prana/Claw service and understand the credential handling, you can proceed but set PRANA_SKILL_SKIP_WRITE_API_KEY=1 if you prefer not to persist keys. - If you do not want your portfolio data or platform credentials sent to a remote endpoint you don't control, do not install/run this skill. - Ask the publisher for the canonical remote base URL, privacy/security policy, and confirmation that the remote service actually uses Tushare and will not retain or misuse your data. Confidence note: medium — the code is straightforward and readable, so the behaviors described are clear; the primary uncertainty is whether the remote service behavior/policies are appropriate for your data and whether the default base URL is intended for production.
scripts/prana_skill_client.js:26
Environment variable access combined with network send.
!
scripts/prana_skill_client.js:94
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f9hmt4t7ar7k8fb45tx9je183pry8
119downloads
0stars
3versions
Updated 1mo ago
v1.0.2
MIT-0
@luokeer52
latest
Download

运行方式(任选其一;OpenClaw 等渠道可自行选用 Python 或 Node):

  • Python 3python3 scripts/prana_skill_client.py -m "…" [-t thread_id] [-b base_url]
  • Node.js 18+:先在包根目录执行 npm install,再执行 node scripts/prana_skill_client.js -m "…" [-t thread_id] [-b base_url]

付费技能说明

若本技能为付费技能,支付成功后请访问 https://claw-uat.ebonex.io/api/order/skills 获取购买记录。

鉴权与调用 Claw API 相同:请求头 x-api-key,值为 public_key:secret_key(一个英文冒号连接,与 config/api_key.txt 中单行凭证格式一致)。

Comments

Loading comments...