A股实时行情数据
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is a coherent market-data helper; the notable items are a user-run unpinned PyPI install and a disclosed patch that bypasses mootdx/tdxpy trading-hour checks.
This appears safe for its stated purpose of retrieving public A-share market data. Before installing, use an isolated Python environment, review or pin the mootdx/tdxpy dependency versions, and run the setup/demo commands only when you intend to make external market-data connections.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running setup may install the current PyPI release of mootdx and its dependencies into the active Python environment.
The setup helper installs an external PyPI package without pinning a version. The dependency is central to the skill, but users inherit the package and dependency supply-chain risk.
subprocess.check_call([sys.executable, "-m", "pip", "install", "mootdx"])
Install in a virtual environment and consider pinning or reviewing mootdx and tdxpy versions before use.
The agent may query TDX endpoints outside normal trading-hour checks and could receive empty, stale, or unexpected results.
The script deliberately changes tdxpy's trading-hour gate so API calls are allowed even when the library would normally block them. This is disclosed for timezone handling, but it changes the upstream library's normal behavior.
tdxpy.hq.time_frame = lambda: True
Use the patch only when needed for timezone issues, and keep user control over setup, demo, and batch-query runs.