Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
DolphinDB 流式计算技能
v1.4.0提供基于DolphinDB的金融场景流式计算能力,支持实时行情、因子计算、风控及订单簿等实时数据流处理。
⭐ 0· 139·1 current·1 all-time
bysuperStupidBear@ugpoor
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description and the SKILL.md content are consistent: the skill focuses on DolphinDB stream processing and shows example APIs and engines that match that purpose. However, the skill claims no required env/config but depends heavily on an external 'dolphindb-basic' skill and a particular workspace layout (~/.jvs/.openclaw/workspace/skills/dolphindb-skills), which is not declared in the registry metadata.
Instruction Scope
The instructions mandate sourcing shell scripts and running a Python init script from ~/.jvs/.openclaw/workspace/skills/dolphindb-skills/scripts (relative paths outside this skill). Sourcing those scripts will execute arbitrary shell code in the user's environment. The doc also references $DOLPHINDB_PYTHON_BIN and wrapper commands (dolphin_python) that are not declared by the skill, and tells the agent to install/require another skill (clawhub install dolphindb-basic). These operations expand scope beyond the skill's own files and give external code execution rights.
Install Mechanism
There is no install spec or code included (instruction-only), which minimizes direct disk writes by this package. However, the runtime instructions instruct users/agents to run shell 'source' and python scripts from a specific workspace location and to install another skill via 'clawhub', so the effective install/runtime footprint depends on those external artifacts rather than this skill bundle.
Credentials
Registry metadata lists no required env vars or credentials, but the instructions reference $DOLPHINDB_PYTHON_BIN, wrapper commands, and recommend connecting to DolphinDB with host/user/password examples. The skill therefore implicitly requires environment setup and potentially user credentials, yet these are not declared — an inconsistency that could hide credential usage or exfiltration paths if the sourced scripts perform network actions.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. It does instruct installing or sourcing external scripts, but it does not itself demand persistent system-wide privileges or modify other skills' configs in the package as provided.
What to consider before installing
This skill appears to be a DolphinDB streaming helper, but before installing or sourcing anything you should: (1) inspect the scripts it tells you to source (~/.jvs/.openclaw/workspace/skills/dolphindb-skills/scripts/* and ../dolphindb-skills) — do not 'source' them blind because sourcing runs arbitrary shell code; (2) verify the origin and contents of the 'dolphindb-basic' skill and any wrapper scripts (dolphin_wrapper.sh, dolphin_global.sh, init_dolphindb_env.py); (3) ensure $DOLPHINDB_PYTHON_BIN and any wrapper binaries are what you expect and not malicious shims; (4) run initial tests in an isolated environment or container and avoid using real credentials until you confirm behavior; and (5) request the skill author/source or a full package that includes the referenced scripts and a declared dependency list so you can review them — if the referenced scripts are provided in-package or come from a reputable repository and the environment variables are declared, the risk would be lower.Like a lobster shell, security has layers — review code before you run it.
dolphindbvk9726hd84ebj2cs4qyxjpva73h842c3ylatestvk9726hd84ebj2cs4qyxjpva73h842c3yquantvk9744kbb9pe6a5akxw5as6pcdh83h5z0realtimevk9744kbb9pe6a5akxw5as6pcdh83h5z0streamingvk9726hd84ebj2cs4qyxjpva73h842c3y
License
MIT-0
Free to use, modify, and redistribute. No attribution required.