Concrete Stock Daily Reporter
SuspiciousAudited by ClawScan on May 13, 2026.
Overview
This stock-report skill has a coherent core purpose, but it needs review because it sends reports to a hard-coded Feishu recipient and fetches market data with HTTPS verification disabled.
Before installing or running this skill, replace the Feishu target with your own confirmed recipient, verify which OpenClaw/Feishu account will send the message, remove the TLS-verification bypass, and only add the cron schedule if you want persistent daily sends.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the send script is run successfully, your stock watchlist/report could be delivered to a Feishu user or chat you did not intend.
The generated report, built from the user's stock list, is sent to a fixed Feishu recipient rather than a user-supplied or clearly documented target.
$OPENCLAW message send --channel feishu --target ou_624ec10057e782149ded8bc7040ea7b9 --message "$REPORT"
Make the Feishu target an explicit user-provided configuration value, display it before sending, and require confirmation for message sends.
The skill can act through your configured OpenClaw/Feishu identity to post a message.
The script uses the locally configured OpenClaw/Feishu messaging authority. This is expected for a report-sending skill, but it is sensitive delegated account use.
OPENCLAW="/opt/node-v24.13.0-linux-x64/bin/openclaw" ... $OPENCLAW message send --channel feishu
Run it only under the intended account, ensure the Feishu permissions are appropriate, and declare the required messaging authority clearly.
The generated report could contain spoofed or altered market data, which may mislead financial decisions.
The Sina HTTPS request disables certificate and hostname verification, allowing a network attacker or proxy to tamper with returned stock data.
ctx.check_hostname = False; ctx.verify_mode = ssl.CERT_NONE
Remove the TLS bypass, use default certificate verification, prefer HTTPS for all data sources, and validate API responses.
A scheduled task may keep trying to run every morning; if adjusted with parameters, it could send reports daily.
The documentation asks the user to add a daily cron job. This is disclosed and aligned with scheduled reports, but it creates persistent recurring execution until removed.
crontab -e ... 添加:30 8 * * * /root/.openclaw/workspace/skills/stock-daily-report/scripts/send_report.sh >> /tmp/stock_report.log 2>&1
Only add the cron job intentionally, document how to remove it, and verify the stock list and Feishu target before scheduling.
The skill may fail, use an unexpected local binary, or behave differently across environments.
The script depends on fixed local install and OpenClaw binary paths despite the registry declaring no install spec or required binaries. This is not malicious by itself, but it is brittle and under-declared.
cd /root/.openclaw/workspace/skills/stock-daily-report/scripts; OPENCLAW="/opt/node-v24.13.0-linux-x64/bin/openclaw"
Declare runtime requirements, avoid hard-coded absolute paths where possible, and resolve the OpenClaw binary from a trusted configured location.