Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Stock Pulse
v1.2.5A股智能决策仪表盘:一条命令看今日该买卖什么。输入股票代码,AI分析技术面+筹码,输出买/卖/观望信号和精确点位、单日走势图、月/年价格预测(蒙特卡洛)、综合买入建议。当用户想分析股票、看走势、预测价格、生成选股建议时触发。
⭐ 0· 99·0 current·0 all-time
byvine.xio@vineindalvik
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to provide A-share analysis and indeed uses baostock + a large model for analysis — that capability is coherent. However the package/registry metadata presented to the evaluator lists no required environment variables or binaries while SKILL.md and handler.py require LLM_API_KEY, LLM_BASE_URL, and LLM_MODEL; this mismatch is unexplained and undermines trust in the packaging/metadata.
Instruction Scope
SKILL.md instructs installing Python deps and running handler.py; runtime behavior (fetching baostock data, building ASCII charts, calling an LLM completion endpoint, optional push to Feishu/WeChat webhooks) is within the described purpose and does not explicitly ask to read unrelated local files or system secrets.
Install Mechanism
No install spec is registered (skill is instruction+code), and requirements.txt uses common PyPI packages (baostock, pandas, requests). There are no downloads from arbitrary URLs or obscure installers in the provided files.
Credentials
handler.py and SKILL.md require three LLM-related environment variables (LLM_API_KEY, LLM_BASE_URL, LLM_MODEL) which are appropriate for a skill that calls a model. However the registry-level 'Required env vars: none' is inconsistent. The skill also optionally uses FEISHU_WEBHOOK_URL / WECHAT_WEBHOOK_URL for pushes (reasonable). The inconsistency in declared vs. actual required env vars is the main issue.
Persistence & Privilege
The skill does not request always:true or system-wide configuration changes. It's user-invocable and runs when executed; there is no evidence it persists elevated privileges or modifies other skills.
What to consider before installing
This skill's functionality (baostock + LLM) matches its description, but the package metadata is inconsistent with the SKILL.md and handler.py which require LLM_API_KEY, LLM_BASE_URL, and LLM_MODEL. Before installing or running: 1) confirm the skill source/owner and review the complete handler.py for any hidden network endpoints or unexpected file/credential access; 2) ensure LLM_BASE_URL points to a trusted model provider (an attacker-controlled model endpoint could capture prompts/data); 3) only provide FEISHU/WECHAT webhooks you control and understand what will be sent; 4) run the skill in a limited/sandboxed environment (no elevated privileges) and inspect network activity if possible; 5) ask the publisher to fix the registry metadata so required env vars are declared accurately — inconsistent metadata is a red flag. If you cannot validate the source or the full code, treat it cautiously and do not expose high-value credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk976644tv36sgw3bhqx0xmfzps84sh3y
License
MIT-0
Free to use, modify, and redistribute. No attribution required.