ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Stock Reporting Interaction

v1.0.0

生成专业股票投资分析报告(盘前/盘后/研报/周报),渲染可视化图表,管理投资日志,提供自然语言问答式投资助理交互体验

0· 32·0 current·0 all-time
by@wuritu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, required binary (python3), and required env var (STOCK_DATA_API_KEY) are consistent with a stock-reporting/charting skill. The included chart_renderer.py and report_generator.py implement expected features. However, report_generator.py modifies sys.path to import stock_data_adapter from a sibling repo path ('toc-trading/src') that is not provided in the package; this is unexpected and reduces coherence because it delegates core data access to an external module not declared in metadata.
Instruction Scope
SKILL.md instructs the agent to run the included Python scripts, render Canvas HTML, and schedule cron triggers — all within the stated scope. The instructions do not explicitly ask for unrelated files or extra environment variables. But because runtime data access is delegated to StockDataAdapter (imported from outside the skill), the real data-access behavior (network endpoints, file reads, credential usage) is opaque from the SKILL.md and could exceed the declared scope.
Install Mechanism
There is no install spec (instruction-only), so nothing is downloaded or written by the skill at install time. This minimizes install-time risk. Note: the scripts require third‑party Python packages (pandas, mplfinance, plotly, matplotlib) but the skill does not declare or install them — the environment must provide them.
Credentials
The skill only declares a single required env var, STOCK_DATA_API_KEY, which is appropriate for a data-fetching stock skill and is set as primaryEnv. However, report_generator.py's import of an external StockDataAdapter (from toc-trading/src) is not declared and that adapter may read additional env vars or local credential files; the SKILL.md does not surface or justify any such extra access.
Persistence & Privilege
The skill does not request always:true, does not include an install step that modifies system-wide configuration, and is user-invocable only. It does not ask to persist or modify other skill configs. This is a normal, low-privilege presence.
What to consider before installing
This skill appears to do what it says (reporting and charting) and correctly requires a STOCK_DATA_API_KEY. Before installing or giving it your API key, do the following: (1) Inspect the implementation of StockDataAdapter (the skill imports it from '../toc-trading/src') — that module is not included and may perform network calls or read local files. Do not provide credentials until you have reviewed what endpoints it calls and what data it sends. (2) Run the scripts in an isolated environment (container or VM) so unexpected behavior cannot access other files. (3) Limit the API key's permissions (read-only, minimal scope) and rotate it if you later remove the skill. (4) Ensure required Python dependencies (pandas, mplfinance, plotly, matplotlib) are installed in a controlled environment. (5) If you cannot locate or audit the referenced 'toc-trading/src/stock_data_adapter', treat the skill as incomplete/untrusted and avoid supplying real credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c8swpfam1zndkmv7rtvd21184a82g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📝 Clawdis
Binspython3
EnvSTOCK_DATA_API_KEY
Primary envSTOCK_DATA_API_KEY

Comments