Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Stock Alert Workflow
v1.0.1超预期盈利提醒工作流:自动爬取财报EPS超预期>10%的标的,搜索近30天分析师评级,通过WhatsApp推送提醒
⭐ 0· 11·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (EPS >10% detection, analyst ratings, WhatsApp push) matches the included Python script and README. Requiring the 'uv' runner (and supplying a brew formula for it) is reasonable if this project expects to be run with that tool. However there are incoherences: README/SKILL.md mention TipRanks as a data source but the visible code only uses yfinance and scraping; the script header lists Python dependencies (yfinance, pandas, requests, beautifulsoup4, python-dotenv) but the install spec does not install those Python packages. This mismatch between declared runtime dependencies and the install spec is unexpected.
Instruction Scope
Runtime instructions tell the agent to run the Python script with 'uv run' and to ensure OpenClaw WhatsApp channel is configured. The script performs web scraping (Wikipedia, Yahoo Finance via yfinance, and uses requests/BeautifulSoup) which is consistent with the task. But the instructions and metadata do not declare how WhatsApp delivery is authenticated (no env vars declared). The Python file is truncated in the provided listing at the method likely responsible for sending messages; because that implementation is not visible, it's unclear whether alerts are posted via the local OpenClaw plugin, an OpenClaw HTTP API, or an external endpoint — this ambiguity increases risk because the message-sending step could exfiltrate data to an undocumented destination.
Install Mechanism
The only install step is a brew formula for 'uv' which is a low-risk, standard package install if 'uv' is a known tool. No arbitrary downloads or extract-from-URL operations are present. However, the skill provides no mechanism to install the Python dependencies listed in the script header (yfinance, pandas, requests, bs4, python-dotenv). That omission means the runtime environment requirements are underspecified and could surprise users or lead to the skill failing or attempting to install packages at runtime via an undocumented mechanism.
Credentials
Registry metadata declares no required environment variables or primary credential. But sending WhatsApp messages via an OpenClaw channel usually requires prior OpenClaw configuration and possibly channel credentials; the skill tells users to 'ensure OpenClaw WhatsApp channel is configured' but does not declare what environment variables or secrets the script will read. The script header includes 'python-dotenv' in its dependencies which suggests it may read env files at runtime. The README also mentions TipRanks (which may require an API key) but there is no declared API key requirement — these gaps mean the skill may expect or attempt to access credentials that are not documented, which is a proportionality concern.
Persistence & Privilege
The skill is not 'always:true', does not request to modify other skills or system-wide settings in the provided materials, and relies on scheduled execution via cron examples only. No persistent or elevated platform privileges are requested in the manifest.
What to consider before installing
What to check before installing or running this skill:
- Dependency installation: The script requires Python packages (yfinance, pandas, requests, beautifulsoup4, python-dotenv) but the skill's install spec only installs 'uv' via brew. Ensure you install these Python dependencies in a controlled virtual environment before running.
- WhatsApp delivery/auth: The SKILL.md assumes an OpenClaw WhatsApp channel is already configured but doesn't state what credentials or environment variables the script will use. Inspect the code where the message is sent (the truncated send implementation) and confirm it posts only to your configured OpenClaw endpoint and does not transmit data to any other external host.
- TipRanks mention: The README references TipRanks, but the visible code uses yfinance and scraping. Ask the author to clarify whether TipRanks API keys are required or whether TipRanks is just a conceptual source.
- Review the full send implementation: The file listing is truncated at the notifier's send method. Before running, open the complete script and verify the send routine's destination, headers, and any use of environment variables or secrets.
- Run in isolation first: Execute the script in a sandboxed environment (separate virtualenv or container) and with test accounts/recipients to confirm behavior. Check network activity (which hosts are contacted) while a dry run executes.
- Trust and provenance: The skill has no homepage and an unknown source owner. If you don't trust the author or cannot verify the code path that sends messages, avoid installing it on production systems or with credentials that grant access to other services.
If you want, I can: (1) fetch and display the remainder of scripts/stock_alert_workflow.py so you can inspect the send implementation, or (2) point out the exact lines where env vars or network calls occur once I have the full file.Like a lobster shell, security has layers — review code before you run it.
latestvk97bkmdct41x611kvr0r3fdc21848tbg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📈 Clawdis
Binsuv
Install
Install uv (brew)
Bins: uv
brew install uv