Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to produce automated daily/ intraday reports and to analyze user holdings, but it declares no data sources, APIs, or credentials. For a tool that generates actionable trading advice you would normally expect required market-data APIs or brokerage access; their absence is a mismatch. The SKILL.md references 'position-rules.md' which is not present in the package manifest.
Instruction Scope
Runtime instructions describe schedules (crons) and prompts for analyzing '昨日盘面' and '我的持仓', but provide no concrete steps to fetch market data or how to access a user's portfolio. That ambiguity gives the agent broad discretion (e.g., it may ask the user to paste data or attempt to call external APIs), which expands scope beyond the described static checklist.
Install Mechanism
There is no install spec and no code files to execute (instruction-only). This minimizes install-time risk because nothing is downloaded or written to disk by the skill itself.
Credentials
The skill requests no environment variables or credentials, which is consistent for an instruction/template. However, given its goal (automated market reports and position analysis), the lack of declared data/API credentials is notable — legitimate implementations would typically require market-data API keys or brokerage tokens. The omission is not clearly justified.
Persistence & Privilege
always:false and no system/config paths requested. The skill does not request persistent platform privileges or attempt to modify other skills or system-wide settings.
What to consider before installing
This skill is essentially a documented analysis framework and prompt checklist — it does not include code or data connectors. Before installing or using it, confirm how it will obtain market data and your portfolio: will you manually paste data into the chat, or does the skill expect to be connected to an API/broker (in which case it should declare required credentials)? Note the SKILL.md references a file (position-rules.md) that is missing from the package. If you plan to let the agent run scheduled reports or to provide holdings, avoid sharing brokerage credentials directly unless you trust and verify an explicit integration. If you need fully automated reports, prefer a skill that clearly documents which APIs it uses and which credentials it requires.Like a lobster shell, security has layers — review code before you run it.
latestvk97axhk05hm7x7sy3mezq7fcqh847e0k
License
MIT-0
Free to use, modify, and redistribute. No attribution required.