ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Stock Advisor Pro

v1.0.0

你的私人 AI 投顾。提供 A 股个股深度多维分析、持仓管理。

1· 108·0 current·0 all-time
bydaas.ai@daasai

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for daasai/stock-advisor.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Stock Advisor Pro" (daasai/stock-advisor) from ClawHub.
Skill page: https://clawhub.ai/daasai/stock-advisor
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install stock-advisor

ClawHub CLI

Package manager switcher

npx clawhub@latest install stock-advisor
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (A股深度分析 + 持仓管理) match included scripts: scan.py calls a cloud API and portfolio.py reads/writes local data. However registry metadata stated no required env vars/credentials while SKILL.md and scripts rely on STOCK_ADVISOR_API_URL and STOCK_ADVISOR_API_KEY — this inconsistency should be resolved.
!
Instruction Scope
SKILL.md instructs running the included scripts (expected). It claims '所有持仓和预警数据均保存在本地' which is true for portfolio operations, but scan.py performs network calls to the configured cloud backend (symbol queries via /api/scan). The skill does not exfiltrate portfolio data in code, but the privacy claim is misleading because scan requests go to an external service. README also suggests running a remote install curl | sh (astral.sh) which broadens runtime scope and risk.
!
Install Mechanism
There is no formal install spec in the registry (lowest risk), but README recommends installing 'uv' via curl -LsSf https://astral.sh/uv/install.sh | sh. That is a remote install script from a third-party domain; running it without inspection is risky. The package_files themselves are plain Python scripts (no packaged binary downloads).
Credentials
The code and SKILL.md legitimately use two env vars (STOCK_ADVISOR_API_URL, STOCK_ADVISOR_API_KEY) for contacting a cloud backend — proportional to the cloud-scan function. However, registry metadata claimed no required env vars/primary credential, which is inconsistent. The default API key in config.py ('demo-key-123456') and default base URL (https://api.daas.ai) mean the skill can run without you supplying secrets, but will contact that default service unless you override it.
Persistence & Privilege
The skill does not request always:true and will not be force-included. It writes only its own local portfolio.json file via LocalStore; it does not modify other skills or system-wide settings. Autonomous invocation is enabled (default) but not combined with other high-risk requests.
What to consider before installing
Before installing or running: (1) Resolve the metadata mismatch — SKILL.md and scripts expect STOCK_ADVISOR_API_URL and STOCK_ADVISOR_API_KEY even though registry metadata lists none. (2) Verify and trust the backend: by default the skill will contact https://api.daas.ai (or the URL you set). If you don't trust that service, run your own local backend and set STOCK_ADVISOR_API_URL to http://localhost:8000. (3) Inspect any remote install script before running it — README recommends curl | sh from astral.sh to install 'uv'; avoid executing that blindly. (4) The portfolio data is stored locally in data/portfolio.json, but a sample file contains a user path — replace or remove sample data. (5) If you need strong privacy, run the skill in a sandboxed environment and/or host the API backend yourself so scans don't go to an external server.

Like a lobster shell, security has layers — review code before you run it.

latestvk978tmg1cy4sxfp8tzzqsww4kd83vkd9
108downloads
1stars
1versions
Updated 4w ago
v1.0.0
MIT-0
daas.ai@daasai
latest
Download

Stock Advisor Pro

你的私人 AI 投资顾问,专为 A 股打造。本插件提供个股深度扫描、持仓管理、行情实时监控及个性化投资建议。

主要功能

  • 深度扫描:多维评分(基本面、资金面、技术面、情绪面)+ AI 深度解读。
  • 持仓管理:记录你的 A 股持仓,分析盈亏。
  • 隐私保护:所有持仓和预警数据均保存在本地,绝不上云。

🌐 外部端点 (External Endpoints)

本插件需要连接到 Stock Advisor Pro API 后端。

  • 默认地址: http://localhost:8000
  • 环境变量: STOCK_ADVISOR_API_URL

🛡️ 安全与隐私 (Security & Privacy)

  • 本地优先: 所有持仓数据仅保存在本地 data/portfolio.json
  • 无追踪: 插件不会收集或上传任何个人交易行为数据。
  • 信任声明: 本插件遵循 OpenClaw 安全规范,所有脚本逻辑透明可查。

使用命令

1. 个股分析

帮我分析个股的当前状态和潜在风险。

  • uv run {baseDir}/scripts/scan.py <股票代码>

2. 持仓管理

查看或管理你的本地持仓。

  • uv run {baseDir}/scripts/portfolio.py show - 查看当前持仓
  • uv run {baseDir}/scripts/portfolio.py add <代码> --cost <单价> --quantity <股数> - 添加持仓
  • uv run {baseDir}/scripts/portfolio.py remove <代码> - 删除持仓

Comments

Loading comments...