Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Private Fund Portfolio Analysis
v1.6.0私募基金持仓结构分析脚本构建方法。支持市场中性(期货空头对冲)和指数增强(持仓 vs 对标指数超配/低配)两种产品类型。当需要从私募基金估值表(XLS/XLSX)解析持仓,分析行业分布/市值分布/指数成分/期货对冲,并生成可视化报告时触发。也用于:生成持仓分析脚本、重构脚本、添加新数据源、修复脚本Bug、生成分析报告。
⭐ 0· 81·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's purpose (parsing XLS portfolio files, enriching with AKShare, optional MySQL lookup) is coherent with the included instructions and prompt template. However the registry metadata declares no required environment variables or credentials while the SKILL.md and references explicitly expect a MySQL data source and show environment-variable usage — and the SKILL.md even includes a concrete default host (43.138.222.153) and password (w6w%vkXENC82PGZo). This mismatch between declared requirements and actual instructions is inconsistent and unexpected.
Instruction Scope
The SKILL.md instructs the agent to parse XLS files, call AKShare (network), cache CSVs, and connect to a MySQL database. The MySQL connection snippet includes defaults and a real-looking IP/password; the instructions would cause network access and database queries. The instructions also reference specific workspace paths and output files. These behaviors go beyond pure local parsing (they require external network/database access) and are not reflected in the skill's metadata.
Install Mechanism
There is no install spec — the skill is instruction-only with one prompt-generating script. No downloads or archive extraction are specified, which is the lower-risk installation model.
Credentials
Although the registry lists no required env vars, the references/docs explicitly require MYSQL_HOST/PORT/USER/PASSWORD/DATABASE and the SKILL.md includes a default MySQL host and password inline. That embedded credential is disproportionate to a simple analysis helper (it binds the skill to a specific external database). The skill also performs network calls (AKShare) which are reasonable for market enrichment, but the undeclared, hardcoded DB credential is a red flag.
Persistence & Privilege
The skill does not request always:true and does not claim to modify other skills or system-wide settings. It writes output files (CSV/JSON/PNG) to the workspace as expected for a reporting script. No elevated or persistent platform privilege is requested.
What to consider before installing
Don't install or run this skill as-is. The SKILL.md contains an explicit MySQL connection snippet with a concrete IP and password default — either that is an accidental leak of real credentials or a dangerous placeholder. Before proceeding: 1) Ask the publisher to remove any embedded credentials and to declare required environment variables in the skill metadata. 2) If you must run it, run in an isolated environment (no access to your production networks), and verify the MySQL host is one you control; treat the embedded credential as potentially live and change passwords if that host is yours. 3) Inspect the code and test with synthetic XLS files locally (disable network calls) to confirm behavior. 4) If the skill needs DB access, require explicit, user-provided credentials (no defaults) and document why the DB is needed. 5) Restrict outbound network access or run behind a firewall while reviewing. These steps will reduce the risk of unintended data exfiltration or accidental use of unknown credentials.Like a lobster shell, security has layers — review code before you run it.
aksharevk97ahmam1ejbnh0jbv3ccqbsnn83ktkkfuturesvk979w5jywb628cga6pzv6p4dp183kk8windex-enhancedvk97ahmam1ejbnh0jbv3ccqbsnn83ktkklatestvk97ahmam1ejbnh0jbv3ccqbsnn83ktkkportfolio-analysisvk97ahmam1ejbnh0jbv3ccqbsnn83ktkkprivate-fundvk97ahmam1ejbnh0jbv3ccqbsnn83ktkksw-industryvk97ahmam1ejbnh0jbv3ccqbsnn83ktkk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.