Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
股票交易下单买卖和查询。
v1.0.0股票交易下单和查询功能。需要提供股票代码、价格、数量等信息。支持买入、卖出、持仓查询、账户查询、撤单等操作。
⭐ 0· 48·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description describe trading (place orders, query positions/account, cancel orders) and the SKILL.md shows curl examples to a localhost API which is consistent with a skill that proxies a local trading helper. Requiring curl only is proportional. However, the skill also instructs users to download a third‑party '股票智能交易助手' from https://www.gp998.com (external software), which is not part of the skill package and raises questions about provenance and whether that external component is actually required/trusted.
Instruction Scope
The runtime instructions tell the agent to POST/GET to http://localhost:8888 endpoints and include an X-API-Key header. The SKILL.md implicitly depends on a separate local service that will hold brokerage credentials and perform real trades. The instructions do not require or document how API keys/credentials are supplied securely, nor do they mandate explicit user confirmation before trading. They also advise installing external software from an unvetted site (gp998.com). These factors expand the scope to potentially controlling real finances with little built-in guardrails.
Install Mechanism
There is no install spec in the skill (instruction-only), which is low risk by itself. However, the documentation instructs users to download and install a third‑party trading helper from a specific URL and provides contact QQ — that instruction effectively delegates installation to an unverified external site. The skill itself does not install code, but it depends on external software whose safety and integrity are unknown.
Credentials
The skill declares no required environment variables or primary credentials, yet all example requests include an X-API-Key header (defaulting to 'test-api-key-12345'). This is an incoherence: a trading skill that places orders should clearly declare how credentials are obtained/stored. The lack of declared credentials means the agent or user might need to configure secrets elsewhere (e.g., in the local trading helper), and those secrets could be used to execute financial transactions. Asking users to install external software further obscures where credentials live.
Persistence & Privilege
always:false and disable-model-invocation:false (normal). On its own this is acceptable, but because the skill can place trades, the combination of autonomous invocation with no explicit confirmation steps or declared safeguards increases risk. The skill does not request system-wide privileges or modify other skills.
What to consider before installing
This skill will call a local trading service to execute real buy/sell orders. Before installing or enabling it: 1) Do not install or run software from gp998.com unless you can verify its trustworthiness and source (prefer vendor with clear reputation and audited code). 2) Confirm where your brokerage credentials/API keys are stored (the skill examples use an X-API-Key but the skill does not declare credentials) and never paste live keys into untrusted software. 3) Disable autonomous invocation or require explicit user confirmation for any trade — otherwise the agent could place orders without your prompt. 4) If you test, use a sandbox/paper‑trading environment only. 5) If you must proceed, inspect and control the local trading helper (network access, logs, and what it transmits), and monitor account activity closely. If you are unsure about the external helper or credential handling, do not enable this skill.Like a lobster shell, security has layers — review code before you run it.
latestvk977fxy7ay4r14crd0hhb0c8ax84aev8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📈 Clawdis
Binscurl