ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

A Share Short Decision.Bak

v1.0.0

A-share short-term trading decision skill for 1-5 day horizon. Use when you need real-data market sentiment, sector rotation, strong stock scanning, capital...

0· 104·0 current·1 all-time
by@wu-xiaolin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the implementation: code implements market sentiment, sector rotation, stock scanning, capital flow analysis, risk control, prediction logging, and report generation. However the registry metadata declared no dependencies while the code clearly expects akshare and pandas (and README/requirements.md mention pip install akshare pandas). The skill writes/reads data/decision_log.jsonl (local persistence) which is coherent for a prediction logger.
Instruction Scope
SKILL.md instructions (run signal engine, persist prediction, compare with market, generate report) align with the code and with CLI examples in main.py. The runtime will read live market data via the akshare library and will read/write local files under data/. The SKILL.md and README mention subskills under subskills/ (optimize_from_aggressive.py, generate_daily_recommendation.py) but those subskill files are not present in the provided manifest — this is an inconsistency to verify. The runtime does not attempt to read unrelated system files or secrets, but it does read environment variables (SHORT_DECISION_DEBUG, SHORT_DECISION_FALLBACK_ENABLED) not declared in the skill metadata.
Install Mechanism
There is no formal install spec (instruction-only in registry), which is low risk, but the shipped code has external Python dependencies (akshare, pandas). The README/requirements.md advise pip install akshare pandas; missing these will cause the code to fall back to 'unavailable' behavior or error. No downloads from unknown URLs or installer scripts are present.
!
Credentials
The skill declares no required env vars/credentials but the code reads SHORT_DECISION_DEBUG and SHORT_DECISION_FALLBACK_ENABLED (to control debug output and data fallbacks). This is a mismatch between declared metadata and actual runtime behavior. No cloud credentials or secrets are requested, which is good. The skill will perform network requests via akshare to public market data providers (normal for this purpose) and will write logs to data/decision_log.jsonl.
Persistence & Privilege
The skill does local persistence (data/decision_log.jsonl) and includes a scheduler.yaml for recurring tasks, but it does not request permanent platform privileges (always:false) nor does it modify other skills. Autonomous invocation (disable-model-invocation:false) is the default; combined with moderate external access (akshare network calls) this increases runtime reach but is normal for a market-data skill.
What to consider before installing
What to check before installing/running: - Dependencies: install and vet akshare and pandas in a controlled virtual environment before running; missing packages trigger fallback or errors. README indicates pip install akshare pandas. - Network access: the skill relies on akshare to fetch live/historical market data. Expect outbound network calls to public market-data sources; run it where that is acceptable. - Local files: the skill writes/reads data/decision_log.jsonl and reads config.json. Ensure you are comfortable with local persistence and its location, and run in an isolated workspace if you want to avoid mixing with other data. - Undeclared env vars: the code reads SHORT_DECISION_DEBUG and SHORT_DECISION_FALLBACK_ENABLED even though the skill metadata lists none — if you rely on fallback behavior or enable debug mode, set those explicitly and be aware of their effect. - Missing subskill scripts: SKILL.md references subskills under subskills/ but those files are not present in the manifest; verify whether those are required for your workflows. - Safety: this is an analysis/research tool, not investment advice. Test thoroughly on historical data and in a sandbox before using outputs to drive any live trading. If you want, I can list the precise akshare APIs this skill calls (useful to audit expected outbound endpoints) or point out the specific files/lines where the undeclared env vars and local writes occur.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cy0265z0qxw9vkbw2rpa2dx833r4z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments