Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
tradingagents-cn-skill
v2.0.0股票多智能体分析报告生成。通过 6 个分析师串行分析 + 多空辩论 + 交易计划 + 风险评估, 生成专业 PDF 报告。触发场景:用户要求分析股票、生成股票报告、提供截图或代码进行分析、 询问买卖建议、要求技术分析或基本面分析或风险评估。
⭐ 0· 79·0 current·0 all-time
byTony@tanteng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with the included scripts: the skill runs a 12-step LLM-driven analysis, validates LLM outputs (validate_step.py) and generates PDFs (pdf_generator.py). Requested runtime binary (python3) is appropriate. However, the code imports third‑party Python packages (e.g., markdown) that are not declared in the skill metadata or install instructions — an undeclared dependency mismatch.
Instruction Scope
SKILL.md instructions stay within the declared purpose: they describe OCR/web_search/LLM calls, retries, validation, logging, and PDF generation. The skill does not instruct reading arbitrary system files or exfiltrating secrets. Note: it relies on agent MCP tools (web_search, image-ocr) and expects the agent to perform LLM calls; those are external to the skill.
Install Mechanism
There is no install spec (instruction-only) which is low-risk, but code files are present and will run under python3. The package imports (markdown) are not documented — whoever installs this may need to pip-install dependencies. No remote downloads or obscure install URLs are used.
Credentials
The skill does not request secrets or credentials. It does use an environment variable TRADINGAGENTS_LOG_FILE to determine the log file location; this variable is not declared in requires.env but is required by SKILL.md usage. Because the script will honor that env var, a mis-set environment value could cause logs/reports to be written to unexpected filesystem locations — this is a configuration/proportionality issue to be aware of, not direct credential theft.
Persistence & Privilege
always is false and the skill does not request persistent platform-wide privileges. It writes logs and report files to directories under the skill (scripts/logs, scripts/reports) by default. It does not modify other skills or global agent config.
What to consider before installing
This skill appears to do what it says: coordinate LLM analyses, validate outputs, and render a PDF. Before installing, note two practical inconsistencies: (1) the Python scripts import a third‑party 'markdown' module (and possibly others) but the skill metadata doesn't declare pip dependencies — you may need to install them manually in the runtime environment; (2) the validator uses an environment variable TRADINGAGENTS_LOG_FILE to set the log path (SKILL.md instructs a safe default), but the script will honor any value of that env var — if an attacker or misconfiguration sets it to an unexpected path, logs could be written outside the skill directory. These are not direct evidence of malicious intent, but they are configuration and supply‑chain gaps you should address (install required Python packages in a controlled environment and ensure TRADINGAGENTS_LOG_FILE is set to a safe path) before using the skill.Like a lobster shell, security has layers — review code before you run it.
latestvk9754m1vy4y48rvza5janjqffx84jj5emulti-agentvk971d04zafyv6zktzgz84tgs7h84ca9wstock-analysisvk971d04zafyv6zktzgz84tgs7h84ca9wtradingvk971d04zafyv6zktzgz84tgs7h84ca9w
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📊 Clawdis
Binspython3