Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Trading Coach
v1.0.0🏆 AI交易复盘教练 — 把你的券商CSV变成可执行的改进洞察! 自动FIFO配对持仓,8维度质量评分(入场/出场/趋势/风险...),10维度AI洞察。 支持富途(中/英)、老虎、中信、华泰等主流券商。 触发条件: 用户提供交易CSV、要求分析交易表现、评估交易质量、生成复盘报告、 计算盈亏统计、识别交易模式问题、"帮我复盘"、"分析我的交易"。
⭐ 14· 8.4k·60 current·63 all-time
byBENZEMA@benzema216
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description and reference docs consistently describe a CSV-based trading-replay/analysis tool (FIFO matching, scoring, insights). No declared env vars or unrelated binaries are requested — the requested capabilities align with processing CSVs and generating reports.
Instruction Scope
SKILL.md instructs the agent/user to git clone a third‑party GitHub repo and run Python scripts (import_trades.py, run_matching.py, score_positions.py, analyze_scores.py). That is within the functional scope (you need code to parse and score CSVs), but it delegates execution to external, unreviewed code and copies a config_template.py to config.py (which may lead to local secrets or configuration changes). The skill itself does not request credentials, but the instructions are sufficiently open-ended that the external repo could ask for or handle secrets or make network calls.
Install Mechanism
There is no declared install spec in the registry package, but the runtime instructions explicitly direct cloning an external GitHub repository and installing requirements via pip. That effectively instructs fetching and executing arbitrary third‑party code from an external source (user repo 'BENZEMA216/tradingcoach'), which is higher risk than an instruction-only skill that runs only built-in logic. The repo is hosted on GitHub (a known host) but is an unverified user repo — extract/run of arbitrary Python code is possible.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. For its stated purpose (CSV-based analysis) this is proportionate. Note: because SKILL.md instructs creating a config.py, the external repo might request API keys or other secrets — the package itself does not declare or require them.
Persistence & Privilege
The skill does not request 'always: true' or any persistent system-level privileges. It is user-invocable and allows model invocation (defaults). Nothing in the bundle indicates it modifies other skills or global agent settings.
What to consider before installing
This skill appears to do what it says (turn broker CSVs into matched positions, scores and AI insights) and does not itself request credentials. The main risk is that the SKILL.md tells you (or an agent) to git clone and pip install a third‑party GitHub repo and then run its Python scripts — that could execute arbitrary code or attempt network calls or read files/configs. Before installing or running: 1) manually inspect the GitHub repo code (especially scripts, config_template.py) for network calls, hardcoded endpoints, or code that reads unexpected files; 2) run the code in an isolated environment (VM/container) and review requirements.txt for risky packages; 3) do not upload CSVs containing sensitive personal data to unknown remote services; 4) check whether the repo asks for API keys or broker credentials in config.py — provide only what's necessary and avoid sharing account secrets; 5) prefer running a local vetted implementation or ask the author for a signed release or reproducible build. If you want, I can list the concrete checks to perform in the repo (files/lines to search for) or, if you provide the cloned repo contents, scan them for suspicious behaviors.Like a lobster shell, security has layers — review code before you run it.
latestvk97a4axatpksqmkktyxak8djf580c5t2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.