Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Stock Monitor
v1.3.0股票价格实时监控。支持多只股票监控,使用 Yahoo Finance API 获取实时股价,自定义涨跌阈值提醒。当股价波动超过设定阈值时自动发送提醒,支持首次预警和续警机制。用于:(1) 监控持仓股票价格波动 (2) 设置价格提醒 (3) 定期检查股价变化
⭐ 5· 8.9k·137 current·143 all-time
by大斌@shengbinxu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (real-time stock monitoring with Yahoo/Futu support) matches the provided scripts: stocks_monitor.py and stocks_rebalance_monitor.py use Yahoo Finance, futu_stocks_monitor.py uses the Futu OpenD client. Minor mismatch: the package has no declared dependency list but futu_stocks_monitor.py imports the futu library (will fail if futu is not installed). Otherwise the capabilities requested (reading a simple JSON config, calling Yahoo/Futu APIs, saving small state files) are proportional to the stated purpose.
Instruction Scope
SKILL.md instructs creating a config in ~/.openclaw/workspace/memory and running the included scripts (or scheduling them via the platform cron). The instructions only reference the expected config and state file paths and the platform's cron/channel for delivering outputs. They do not ask the agent to read unrelated files or environment variables. Minor inconsistency: example run paths in SKILL.md reference ~/.openclaw/skills/… which may differ from where the skill's files are placed; this is an operational (not security) mismatch.
Install Mechanism
There is no install spec (instruction-only install), which is low risk. The package includes Python scripts that will run locally. Note: futu_stocks_monitor.py requires the third-party futu Python package (import futu) but no dependency or install instruction is provided, which may cause runtime errors if a user runs that script without installing futu.
Credentials
The skill does not request any environment variables or credentials. The only sensitive input surface is the optional futu 'unlock_password' in the config JSON (the script reads it from the config file, not from env), which would be stored in plaintext under ~/.openclaw/workspace/memory if the user puts it there. The scripts make outbound requests only to Yahoo Finance endpoints (query1.finance.yahoo.com) and — for futu — to a local OpenD service (default 127.0.0.1:11111). There are no other credential-like env vars referenced.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent settings. It stores its own small JSON state files under ~/.openclaw/workspace/memory/, which is expected for a monitoring tool. It prints alerts to stdout; actual delivery to channels (e.g., Discord) is delegated to the platform's cron/channel integration, not the skill itself.
Assessment
This package appears to do what it says: poll Yahoo Finance (and optionally Futu OpenD) and write small JSON state files under ~/.openclaw/workspace/memory. Before installing or scheduling it: 1) If you plan to use futu_stocks_monitor.py, install and review the futu Python package and be aware that the script expects an optional unlock_password in the config file (don't store sensitive passwords in plaintext unless you accept the risk). 2) The scripts only print alerts; ensure whatever cron/channel integration you use (the example mentions Discord) will not forward any secrets or entire config files — verify the platform’s behavior. 3) There is no install step provided, so running the futu script may fail if dependencies are absent; running the Yahoo-based scripts requires only Python and network access. 4) If you only want Yahoo-based monitoring, you can ignore the futu script. 5) If you want extra assurance, inspect configs stored under ~/.openclaw/workspace/memory for any sensitive fields before scheduling.Like a lobster shell, security has layers — review code before you run it.
latestvk97ee09r6jbe7dj9a1qthy9ggh826erg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.