Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
a-stock-review
v1.0.1A股股票复盘分析工具,基于AkShare库提供全面的股票复盘报告。支持行情走势、财务指标、资金流向、板块概念、技术分析等多维度分析。用于回答个股复盘、行情分析、基本面分析、技术面分析等问题。
⭐ 0· 207·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the code: both are focused on A-share复盘 using AkShare and public finance endpoints (Eastmoney, Sina). However the skill package declares no install spec or dependency list even though the code requires Python packages (akshare, pandas, numpy, requests); this mismatch may break runtime expectations and is a packaging oversight.
Instruction Scope
SKILL.md instructs extensive data collection and explicit cross-validation (东方财富 + 同花顺 + 新浪). The code calls akshare and directly queries Eastmoney and Sina; it does not explicitly call a 同花顺 web API in an obvious, named way (it relies on akshare wrappers and backup web endpoints). The instructions do not ask for unrelated local files or secrets, so scope is generally limited to public data collection but the promised two-source validation is not clearly enforced by implementation.
Install Mechanism
This is labeled instruction-only with no install spec, but the bundle includes Python code that depends on non-standard packages (akshare, pandas, numpy, requests). No dependency declaration or install instructions are provided, so installing/running may require manual dependency setup. Missing install/dependency metadata is an operational and supply-chain concern.
Credentials
The skill requests no environment variables, no credentials, and the code does not read secrets or config paths. All external access is to public finance endpoints, which is proportionate to the stated purpose.
Persistence & Privilege
The skill is not always: true, does not request elevated privileges, and does not attempt to modify other skills or system-wide settings. Autonomous invocation is allowed by platform default but not combined here with other worrisome privileges.
What to consider before installing
This package appears to be a legitimate A-share analysis tool that scrapes public finance endpoints (Eastmoney, Sina) via akshare and requests. Before installing or running it you should: 1) be aware you must manually install Python dependencies (akshare, pandas, numpy, requests) — the skill does not declare them; run it in a VM or isolated environment until you validate behavior; 2) expect outbound network calls to public endpoints (Eastmoney, Sina) which will reveal queried stock codes and timestamps to those services — if that is a privacy concern, do not run it; 3) note SKILL.md requires cross-validation with both 东方财富 and 同花顺, but the code does not clearly guarantee both sources always succeed — verify the implementation meets your validation needs; 4) review the code locally for bugs and error handling (there are minor scoping/logic issues) and for compliance with the data provider terms of service; 5) if you want to allow autonomous agent use, be comfortable the agent can make outbound HTTP requests to public APIs. If any of these points are unacceptable, do not install or run the skill until corrected.Like a lobster shell, security has layers — review code before you run it.
latestvk972f2ja93h3nehvw70rcpdg7982t90m
License
MIT-0
Free to use, modify, and redistribute. No attribution required.