trading-log
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This looks like a plausible local trading journal, but it needs review because it may run an unbundled Desktop script and keeps sensitive financial records with persistent scheduled behavior and limited user controls.
Review this skill before installing. If you use it, verify the exact script that will run, keep backups of the JSON trading log, avoid entering sensitive account identifiers, and confirm whether any Cron job is installed or removable.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could execute a local script that was not part of the reviewed skill, or the skill may not work as documented.
The command runs a Desktop file named 交易日志.py, but the supplied manifest includes scripts/trading_log.py and no install step that creates the Desktop file. This is a provenance gap for code execution.
cd ~/Desktop && python3 交易日志.py <命令> [参数]
Run only the bundled reviewed script by explicit path, or add an install spec that copies/verifies the exact script and hash before execution.
A misunderstood message or bad command could create inaccurate financial records that the skill treats as authoritative.
Buy/sell commands append to and save the persistent trading log and positions. The artifacts do not show an approval, undo, or deletion workflow for these financial-record mutations.
data["trade_log"].append(trade) ... save(data)
Require explicit user confirmation before recording trades, validate prices/quantities, and provide a documented correction or rollback workflow.
Your stock trades, prices, quantities, reasons, and optional account labels may remain in a local JSON file indefinitely.
The skill intentionally persists sensitive trading history indefinitely and does not document user-controlled retention or deletion.
交易记录永久保存,不可删除
Install only if you accept permanent local retention, and ask the maintainer to add retention, export, correction, and deletion controls.
The skill may continue updating trading history on a schedule after installation if Cron is configured.
A scheduled background task is disclosed and purpose-aligned, but the artifacts do not show setup, disabling, or cleanup controls.
每日自动Cron ... 交易日 15:30 ... 刷实时价格 → 计算盈亏 → 存入历史记录 ... 由主Agent的Cron系统触发
Verify whether any scheduled task is installed, how to disable it, and where scheduled outputs are stored.
A third-party quote service can see which stock codes are requested.
Live price refreshes require sending stock codes to Tencent’s quote endpoint. This is expected for the feature, but it reveals the queried holdings/watchlist codes to that provider.
腾讯快接口 `https://qt.gtimg.cn/q=sh600519,sz000001,...`
Use live pricing only if you are comfortable sharing queried stock codes with the quote provider.