A股股票交易助手
ReviewAudited by ClawScan on May 10, 2026.
Overview
Most stock-analysis features match the stated purpose, but the price-alert script creates a persistent OpenClaw cron alert that sends to a hard-coded QQ bot recipient.
Use the read-only price/news/analysis scripts with normal caution, but avoid the price-alert feature unless the hard-coded QQ recipient is removed and you explicitly approve any OpenClaw cron job it creates. Also remember the investment outputs are informational and simulated, not reliable financial advice.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or using the alert feature could leave a scheduled agent task running on weekdays and sending stock alerts without the user realizing it persists.
The alert script creates a persistent scheduled OpenClaw task that can continue running after the immediate request, but SKILL.md only describes price monitoring and does not clearly disclose this persistent agent behavior or how to remove it.
"openclaw", "cron", "add", "--cron", "0 16 * * 1-5", "--session", "isolated", "--wake", "now", "--message", message, "--channel", "qqbot", "--to", user_id, "--announce"
Require explicit user confirmation before creating cron jobs, document how to list/remove the job, avoid immediate wake/announce by default, and make persistence clearly visible in SKILL.md.
A user's stock watchlist or intended buy price range could be routed to an unexpected QQ bot recipient.
The reminder destination is hard-coded and then used as the qqbot recipient, so a user's watched stock code and buy-range alert may be sent to a fixed account rather than the current user.
user_id = "D3AA9A40183306D5A885AB9BE7581B06"
Remove the hard-coded recipient, require the user to provide or confirm the destination, and disclose the exact channel and recipient before scheduling any alert.
Some functions may fail or modify the local OpenClaw environment in ways not apparent from the registry requirements.
The package metadata declares no required binaries, but the included scripts invoke local commands such as curl and openclaw. This is a dependency disclosure gap rather than hidden installation code.
Required binaries (all must exist): none
Declare curl/openclaw requirements and clearly separate read-only query scripts from scripts that modify OpenClaw scheduling.