A Share Pro
Security checks across malware telemetry and agentic risk
Overview
This stock-monitoring skill is coherent and purpose-aligned, but users should notice that it stores portfolio-like data locally, queries third-party finance sites, and installs Python packages.
This skill appears safe for its stated purpose if you are comfortable with local storage of investment-related data and third-party quote lookups. Install it in a controlled Python environment, review ~/.openclaw/a_share for saved data, and remember that the bundled financial analysis/report examples are not a substitute for independent investment advice.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing may change your Python environment and relies on packages downloaded from PyPI.
The user-directed installer pulls Python packages from pip without exact version pinning. This is common for a Python finance utility, but it depends on external package supply chains and modifies the local Python environment.
pip3 install requests beautifulsoup4 pandas -q
Run the installer only in an environment you trust, preferably a virtual environment, and consider pinning or reviewing dependency versions.
If you set a Tushare token, the skill may be able to use that provider credential for market-data access.
The code reads an optional Tushare API token even though registry metadata declares no credentials. This is related to the stated Tushare data-source support, and the provided code does not show hardcoding, logging, or unrelated transmission of the token.
TUSHARE_TOKEN = os.environ.get("TUSHARE_TOKEN", "")Use a minimally scoped Tushare token if needed, and avoid setting unrelated credentials in the same environment.
Your selected stocks and any transaction records can remain on disk after use.
The skill persists watchlist and transaction-style files locally. This is disclosed and purpose-aligned, but the data can reveal investment interests or holdings.
DATA_DIR = os.path.expanduser("~/.openclaw/a_share")
WATCHLIST_FILE = os.path.join(DATA_DIR, "watchlist.txt")
TRANSACTIONS_FILE = os.path.join(DATA_DIR, "transactions.txt")Treat ~/.openclaw/a_share as private financial data, review its contents periodically, and delete or encrypt it if needed.
Third-party finance services, and possibly network observers for HTTP traffic, may see which symbols you query.
The monitor sends stock symbols to external market-data providers. This is central to the skill's purpose and disclosed in SKILL.md, but it exposes query patterns to those services; Tencent is queried over HTTP.
url = f"http://qt.gtimg.cn/q={tencent_code}" ... "https://stock.xueqiu.com/v5/stock/realtime/quotec.json" ... "https://finance.pae.baidu.com/selfselect/getstockinfo"Use the skill only if you are comfortable sharing queried stock symbols with the listed data providers, and prefer HTTPS-capable sources where possible.
In unusual environments, the script could import a different local config or monitor module than the reviewed one.
The script adds a hard-coded developer-local path to Python's import search path. On most systems this path will not exist, but if it does, imports could resolve to files outside the installed skill package.
sys.path.insert(0, '/Users/wangrx/.openclaw/workspace/skills/a-share-pro/scripts')
Remove the hard-coded absolute path and use paths relative to the script directory before relying on the package in production.