ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Daily Stock Announcement

v1.1.0

每日股票投资组合公告工具,集成Gmail邮件报告和Sonos语音播报功能。

0· 89·0 current·0 all-time
by@terrycarter1985

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for terrycarter1985/stock-announcement.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Daily Stock Announcement" (terrycarter1985/stock-announcement) from ClawHub.
Skill page: https://clawhub.ai/terrycarter1985/stock-announcement
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: sonos, python3
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install stock-announcement

ClawHub CLI

Package manager switcher

npx clawhub@latest install stock-announcement
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code, SKILL.md, and install spec all implement the advertised features (yfinance portfolio analysis, Gmail API email sending, Sonos TTS via a sonos CLI). The go install for github.com/steipete/sonoscli to provide a 'sonos' binary and the listed pip packages are appropriate for the claimed purpose. However, the registry metadata lists no required env vars while SKILL.md and the script expect SONOS_SPEAKER and RECIPIENT_EMAIL, which is an inconsistency.
!
Instruction Scope
The runtime instructions and the script instruct use of a Gmail OAuth token (config/token.json) and environment variables, which fits the purpose. But the script implements broad credential/config discovery: it loads a .env located at WORKSPACE_ROOT determined as Path(__file__).parent.parent (which may point outside the skill directory) and searches fallback locations for token.json (cwd, home, /config). That expands the scope to read user-level files outside the skill and could pick up unrelated credentials.
Install Mechanism
Install uses pip for standard packages and a Go module from GitHub to produce the 'sonos' binary. These are common mechanisms and the Go module points at a GitHub repo (not a shortener or personal IP). No suspicious remote arbitrary archive downloads were observed.
!
Credentials
The skill did not declare required env vars in registry metadata, yet the SKILL.md and code require/expect SONOS_SPEAKER and RECIPIENT_EMAIL and a Gmail OAuth token. The code's fallback scanning (Path.home(), Path.cwd(), and absolute /config) means it can access credentials outside the project; requesting or reading those without explicit declaration is disproportionate and risk-increasing.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent settings. It runs as an ordinary, user-invocable skill with normal autonomous invocation settings.
What to consider before installing
This skill appears to implement the advertised Gmail + Sonos features, but exercise caution before installing. Specific concerns: (1) The registry metadata omits required env vars even though the script expects SONOS_SPEAKER and RECIPIENT_EMAIL and a Gmail OAuth token; (2) the script actively searches for credentials in multiple fallback locations (workspace .env, current working directory, your home directory, /config), which could cause it to pick up and use unrelated Gmail tokens on your machine; (3) there are packaging/path mismatches in SKILL.md/skill.yaml (references to scripts/ path that don't match the included filename), indicating sloppy packaging. Recommended actions before installing or running: review the full script yourself (especially the credential-loading code), put Gmail token only in the intended config location (or better: use a dedicated service account or project-limited token), run the skill in an isolated environment or container, set RECIPIENT_EMAIL to a safe test address first, and verify you trust the sonoscli GitHub repository used for the 'sonos' binary. If you require higher assurance, ask the author to remove fallback scanning of home and root paths and to declare required env vars in the metadata.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📈 Clawdis
Binssonos, python3

Install

Install sonoscli
Bins: sonos
go install github.com/steipete/sonoscli/cmd/sonos@latest
latestvk97802hvbxwx7y4m3g2vpqq1gx84e7c1
89downloads
0stars
1versions
Updated 2w ago
v1.1.0
MIT-0
@terrycarter1985
latest
Download

Stock Announcement Skill v1.1.0

功能说明

每日自动股票投资组合公告工具,包含市场分析、邮件报告和Sonos语音播报功能。

主要功能

  • 📊 投资组合实时绩效分析(基于yfinance)
  • 📧 通过Gmail API发送HTML格式邮件报告
  • 🔊 Sonos音箱语音播报当日收益
  • 📈 显示总市值、当日盈亏、最佳/最差表现股票

v1.1.0 更新日志

🔧 修复内容

  1. 邮件发送异常修复

    • 解决Gmail凭证路径解析问题
    • 添加多路径凭证自动扫描机制
    • 内置3次重试机制(指数退避算法)

  2. Sonos播报异常修复

    • 修复TTS命令行参数格式
    • 添加音箱发现预检查
    • 3次自动重试 + 超时保护(30秒)
    • 优化播报文本格式,去除多余空白

  3. 稳定性增强

    • 新增结构化日志系统
    • 所有外部调用添加超时保护
    • 改进工作区路径自动检测
    • 完善异常捕获和错误信息输出

使用方法

# 运行公告脚本
python3 daily_stock_announcement.py

配置说明

  1. 将Gmail OAuth token存放于 config/token.json
  2. 设置环境变量:
    • SONOS_SPEAKER: Sonos音箱名称 (默认: "Living Room")
    • RECIPIENT_EMAIL: 报告接收邮箱

Comments

Loading comments...