Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Stock Fundamental Analysis
v1.0.0对上市公司进行深度基本面分析,包括财务健康度评估、估值分析、成长性分析、行业对标、财报解读,输出结构化投研报告
⭐ 0· 58·0 current·0 all-time
by@wuritu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to perform multi‑dimensional fundamental analysis and includes a valuation engine (valuation_engine.py) and a data fetcher (financial_fetcher.py), which is coherent with the stated purpose. However, SKILL.md expects many other helper scripts (health_checker.py, growth_analyzer.py, industry_comparator.py, report_parser.py, shareholder_tracker.py) that are not present in the bundle. The fetcher also inserts a path to a local 'toc-trading/src' module (stock_data_adapter) which is not declared in requirements or documented — relying on a local/sidecar package is unexpected and unexplained.
Instruction Scope
The SKILL.md runtime commands call a set of tools that do not exist in the package (e.g., tools/health_checker.py, tools/growth_analyzer.py). That means following the provided instructions will fail or cause the integrator/agent to search for or attempt to import missing modules. The instructions also reference {baseDir} and expect scripts under tools/ but the manifest only includes two files. No instructions ask for unrelated system files, but the mismatch gives the agent broad discretion to locate/require other code (toc-trading), which is a scope creep and operational risk.
Install Mechanism
There is no install spec (instruction-only), which lowers installation risk. However, financial_fetcher.py dynamically adds a relative path to 'toc-trading/src' into sys.path at runtime; this implicitly depends on an external/local repository to be present. Because that dependency is not declared or bundled, it is unexpected and could cause the agent to import code from an unknown location on disk or fail at runtime.
Credentials
The skill requests a single API credential (STOCK_DATA_API_KEY) as its primary credential, which is proportionate for fetching market/financial data. The included files do not read other environment variables. Note: the supplied code does not explicitly show how STOCK_DATA_API_KEY is consumed — likely the stock_data_adapter (external) would use it, so the key's usage should be confirmed before granting.
Persistence & Privilege
The skill does not request always: true and does not declare any system config paths. It is user-invocable and allows normal autonomous invocation. There is no evidence the skill modifies other skills or system-wide settings.
What to consider before installing
Do not install or enable this skill yet. Key concerns: (1) SKILL.md lists several helper scripts (health_checker.py, growth_analyzer.py, industry_comparator.py, report_parser.py, shareholder_tracker.py) that are missing from the package — ask the author to supply those files or update the instructions. (2) financial_fetcher.py appends a relative 'toc-trading/src' path and imports StockDataAdapter from there; confirm where 'toc-trading' comes from, whether it will be present at runtime, and inspect that adapter's code for how it handles your STOCK_DATA_API_KEY and remote endpoints. (3) Verify the provenance of the package (source/homepage unknown) and ensure the data provider is trusted and licensed. If you must test this skill, do so in an isolated environment, monitor network calls, and avoid providing high‑privilege or long‑lived credentials until you confirm how the key is used.Like a lobster shell, security has layers — review code before you run it.
latestvk978353s7pyeg19xy3jw3tneh184bs54
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🏢 Clawdis
Binspython3
EnvSTOCK_DATA_API_KEY
Primary envSTOCK_DATA_API_KEY