Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
7d Stock Analyzer
v1.0.1七维分析框架 - 深度股票分析 Agent,整合多数据源进行全方位股票分析
⭐ 0· 72·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill is a Python stock-analysis agent and requires python3 which is appropriate. However SKILL.md and metadata declare QVERIS_API_KEY as a required environment variable even though QVeris is an optional data adapter (not used by default) and its adapter methods are unimplemented placeholders. Also the registry shows 'No install spec — instruction-only' while the package includes runnable Python scripts; that's an internal inconsistency between declared type and actual contents.
Instruction Scope
Runtime instructions are to run scripts/analyze.py and (in SKILL.md metadata) to pip-install efinance/akshare/pandas/numpy. The analyzers/adapters call those libraries to fetch data (network I/O) which is expected for this purpose. The adapters do not read unrelated files or other env vars. No hidden endpoints or obfuscated code were found in the source. The only scope oddity: Qveris adapter prints TODOs and does not implement network calls but the skill forces an API key requirement in metadata.
Install Mechanism
There is no registry install spec, but SKILL.md metadata includes a pip install step for known public packages (efinance, akshare, pandas, numpy) — these are common and reasonable for the functionality. The mismatch (registry saying no install spec vs SKILL.md providing pip install) is a packaging/information inconsistency but the install mechanism itself uses standard public packages (moderate risk).
Credentials
Only QVERIS_API_KEY is requested. Given that default data sources are efinance and akshare and QVeris is optional (and its adapter is unimplemented), treating QVERIS_API_KEY as required is disproportionate. The code only reads QVERIS_API_KEY in qveris_adapter.py; no other secret-like env vars are requested. Requesting this API key without providing implemented QVeris functionality is suspicious and should be justified by the author.
Persistence & Privilege
The skill does not request persistent privileges (always:false), does not modify other skills or system-wide settings, and contains no code that attempts to install daemons or persist credentials. It runs as a normal user-invoked CLI tool.
What to consider before installing
This package appears to implement the advertised stock-analysis functionality, but there are packaging and requirement inconsistencies you should clear up before installing:
- Ask the author why QVERIS_API_KEY is declared required when QVeris is optional and its adapter is currently a TODO/placeholder. Do not provide the API key until you confirm QVeris is actually used and how.
- Confirm the intended install process: the registry lists no install spec but SKILL.md metadata suggests pip-installing dependencies. If you install, run pip installs in a controlled environment (virtualenv or container).
- Review and run the code in a sandbox first. The adapters call third-party libraries that perform network I/O; verify they only contact expected services (efinance/akshare) and do not exfiltrate data to unknown endpoints.
- If you plan to supply any API keys, prefer creating a dedicated, scoped key for testing and rotate it if you stop using the skill.
If the author clarifies that QVeris is optional (and removes QVERIS_API_KEY from required metadata) and documents the install step consistently, the inconsistencies would be resolved and the package would look coherent.Like a lobster shell, security has layers — review code before you run it.
latestvk97a92j0103v9cb84k8v3vrapn83a2x6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📊 Clawdis
Binspython3
EnvQVERIS_API_KEY