Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Stock Price Alert
v1.0.1股价异动实时提醒技能,支持对接股票行情接口、邮件提醒和Sonos语音播报,实时监控持仓股票价格波动并触发告警
⭐ 0· 88·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (stock monitoring + Gmail + Sonos) match the included script and dependencies (yfinance, google auth libs, sonos-cli usage). However the registry-level required binaries list includes 'clawhub' even though the Python script does not use it; that binary requirement is unexplained and disproportionate to the stated purpose.
Instruction Scope
SKILL.md and the script instruct the agent to read environment variables, a .env file and Gmail OAuth token files. The script searches for token.json in multiple relative locations including ../../../config/token.json and a ~/.openclaw/workspace path — these relative paths can traverse out of the skill directory and read workspace-level credential files. This broad file access is beyond the simple 'send an email' description and could read unrelated credential files if present.
Install Mechanism
No platform-level install spec was provided, but SKILL.md declares pip dependencies (yfinance, pandas, python-dotenv, google-auth libs) and a pip install step — these are appropriate for the functionality. There is no high-risk remote download or obscure installer. Still, the registry said 'No install spec' while SKILL.md lists installation steps, which is an inconsistency to clarify.
Credentials
Registry metadata declared no required env vars or primary credential, but SKILL.md and the script expect configuration via a .env (PORTFOLIO, ALERT_THRESHOLD, SONOS_SPEAKER, RECIPIENT_EMAIL, etc.) and require a Gmail OAuth token file (token.json). The skill thus needs credentials and config that are not declared in the registry, which is a mismatch and reduces transparency. Also the script probes multiple filesystem locations for token.json (including user workspace paths).
Persistence & Privilege
always:false and agent-autonomy defaults are preserved. The skill does not request permanent platform presence or modify other skills. It writes an alert_history.json inside the skill/workspace area (normal). The main concern is file read scope rather than persistence.
What to consider before installing
This skill appears to implement the advertised stock-monitoring + Gmail + Sonos alerts, but there are a few red flags you should check before installing:
- Verify why the registry requires the 'clawhub' binary; the Python script does not reference it. Ask the publisher to justify or remove that requirement.
- The script expects a Gmail OAuth token (token.json) and will look in several relative and workspace-wide paths (including ../../../config/token.json and ~/.openclaw/workspace/config/token.json). Ensure you do not have sensitive tokens in those locations you don't want this skill to access, or run the skill in an isolated environment.
- Provide Gmail credentials only as described (create a dedicated token.json for this skill) and never expose tokens you use for other services.
- Inspect the full script locally (especially the parts that search for token.json and call subprocess for Sonos) before running, and run first in a restricted or VM environment if you are unsure.
- Confirm you are comfortable with the pip packages listed (yfinance, pandas, google auth libs) and install them yourself to avoid unexpected network installs.
If the publisher can (a) remove the unexplained 'clawhub' requirement, (b) document the exact credential files/paths needed, or (c) limit token discovery to a single explicit path you control, the transparency and safety of this skill would improve.Like a lobster shell, security has layers — review code before you run it.
alertsvk97d8fg8gzj2n309228rcrwaa584ea02gmailvk97d8fg8gzj2n309228rcrwaa584ea02latestvk9780efgnzsd8sdc16strpyf0984egqksonosvk97d8fg8gzj2n309228rcrwaa584ea02stocksvk97d8fg8gzj2n309228rcrwaa584ea02
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython3, clawhub