Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
trading-log
v1.0.0交易日志记录系统——记录所有买卖交易、计算持仓盈亏、自动刷实时行情。When the user mentions buying/selling stocks, recording trades, checking positions, or calculating profit/loss.
⭐ 0· 36·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to record trades, compute P/L, and fetch realtime prices — the included Python script and SKILL.md implement that functionality. However, the SKILL.md and file manifest reference filenames like '交易日志.py' and files expected on ~/Desktop, while the actual code lives at scripts/trading_log.py and uses hardcoded paths under /home/jocob/Desktop. This discrepancy is unexpected and suggests the package was not packaged consistently.
Instruction Scope
SKILL.md instructs the agent to run commands from ~/Desktop and refers to a mainAgent Cron that will trigger daily updates, but the shipped script reads/writes a hardcoded LOG_FILE at /home/jocob/Desktop/交易日志_持仓记录.json and the code path differs from the documented file names. The instructions also assert '记录永久保存,不可删除' (permanently saved) without any mechanism to enforce or manage retention. These mismatches create a risk that the agent will read/write unexpected filesystem locations or fail silently.
Install Mechanism
There is no install spec (instruction-only plus an included script). That minimizes supply-chain risk; nothing is downloaded at install time and no external packages are automatically pulled.
Credentials
The skill requests no environment variables or credentials, which is appropriate for a local trading log. However, it does access the user's filesystem (hardcoded /home/jocob Desktop paths). While not a secret-exfiltration pattern, hardcoded user paths are brittle and could unintentionally access another user's files on multi-user systems or fail to store data where the user expects.
Persistence & Privilege
The skill is not marked always:true and does not request elevated privileges, but it writes persistent JSON trade logs and claims they are permanent. It also references being triggered by a '主Agent的Cron系统' without providing installation or scheduling steps — if the agent is allowed to schedule recurring tasks, this will create long-lived data on disk. Autonomous invocation is allowed by default; combine that with persistent storage if you need to limit continuous background activity.
What to consider before installing
This skill appears to implement a local trading log and fetches realtime prices from Tencent (qt.gtimg.cn), which matches its description — but there are inconsistencies you should resolve before using it. Specifically: (1) the documentation and manifest reference different filenames than the shipped script, and the script uses a hardcoded path (/home/jocob/Desktop/...) rather than the ~/Desktop path described; confirm and correct the file locations so it reads/writes where you expect. (2) The skill will create persistent JSON files containing your trades; if you care about privacy or retention, inspect the save/load functions and change paths or add deletion/backup policies. (3) It makes outbound HTTP requests only to a known public price API (qt.gtimg.cn) — if you require stricter network controls, run it in a sandboxed environment or block network access. (4) Because SKILL.md mentions automatic Cron triggers but provides no installer for scheduling, verify how your agent will schedule runs before enabling autonomous invocation. If you want to proceed, run the script locally in a controlled folder (not someone else's /home), review the code yourself (or have a developer do so), and fix the path/filename inconsistencies.Like a lobster shell, security has layers — review code before you run it.
latestvk97d7yfpb06ernmvnrjf059mr583whcy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.