ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Stock Assistant Pro

v1.0.0

专业股票分析助手,基于五日线+MACD+基本面三维选股策略。提供实时行情分析、买卖点提示、财报健康度检查、做 T 策略建议。适合 A 股投资者使用。

0· 151·0 current·0 all-time
by@vip8607
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The description promises realtime行情分析, buy/sell signals, watchlists, PDF reports and a paid subscription model, but the package declares no APIs, no environment variables, no install steps, and no storage/config paths. A skill that needs realtime market data normally requires at least an API endpoint or API key; a watchlist/paid-subscription feature normally requires storage or billing integration. Those capabilities are claimed but not supported by any declared dependencies or instructions.
!
Instruction Scope
SKILL.md is purely descriptive (commands and expected outputs) and contains no runtime directives for where to fetch market data, how to persist a watchlist, how to generate/serve PDFs, or how pricing/subscription is enforced. That missing scope is a functional incoherence: it's unclear what the agent should actually do when invoked and what external systems it will contact.
Install Mechanism
There is no install spec and no code files (instruction-only skill), so nothing will be downloaded or written to disk by installing this skill. This is the lowest install risk.
!
Credentials
The skill declares no required environment variables or credentials. That is surprising given the claimed need for realtime market data and (optionally) third-party services for reports or institutional holdings. Either the skill expects the platform to supply market data (not documented) or it will request credentials at runtime — the lack of declared env vars is disproportionate to the capabilities claimed.
Persistence & Privilege
The skill does not request elevated persistence (always: false) and is user-invocable. There is no indication it modifies other skills or system-wide settings.
What to consider before installing
Before enabling this skill, ask the publisher where realtime market data will come from (which API/vendor) and whether the platform provides it by default. Ask how watchlists and generated reports are stored and who can access them, and how payments/subscriptions are handled. Do not provide API keys, exchange credentials, or payment information until you have clear documentation or source code showing the integration points. If the skill later asks you to enter credentials or to authorize external services, verify the endpoint and scope first. Consider testing with non-sensitive sample tickers and disabling autonomous invocation until you confirm the data sources and storage behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ckk5fndtv09paj1cpamx3wh8335ay

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments