ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fund News Summary

v1.0.4

Automatically collects and summarizes the latest core news for US, Europe, Japan stock markets, gold, and prediction markets. Use when user asks about fund n...

0· 838·3 current·3 all-time
byYonghao Zhao@yonghaozhao722

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for yonghaozhao722/fund-news-summary.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Fund News Summary" (yonghaozhao722/fund-news-summary) from ClawHub.
Skill page: https://clawhub.ai/yonghaozhao722/fund-news-summary
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install fund-news-summary

ClawHub CLI

Package manager switcher

npx clawhub@latest install fund-news-summary
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to collect/summarize fund news, which is reasonable, but the implementation references external tooling and side-effects not declared in metadata: it calls a local qveris tool under /root/clawd/skills/qveris, expects a Brave Search API key, saves files into /root/clawd/obsidian-vault, and auto-pushes to a GitHub repo. None of these required credentials, config paths, or inter-skill dependencies are declared in the registry metadata, which is disproportionate to the stated simple news-summary purpose.
!
Instruction Scope
SKILL.md instructs running /root/clawd/skills/fund-news-summary/fund_news.py (cron-run at 11:00 BJT) and sending output to Telegram. The script itself also performs Obsidian file writes and GitHub pushes and executes other-skill scripts. The instructions grant broad filesystem and network actions (write to /root paths, call other skill code, push to remote), and SKILL.md does not document required credentials or external endpoints for these actions.
Install Mechanism
There is no install spec (instruction-only install), which minimizes supply-chain install risk. However, the included Python files use third-party libraries (aiohttp, asyncio patterns) and expect a sibling 'qveris' skill directory and local git configuration; missing an install step means required Python packages or other skill components may not be present, leading the script to run arbitrary local code if those files exist.
!
Credentials
Registry metadata lists no required env vars, but the code reads BRAVE_API_KEY and the runtime behavior (Telegram send, Git push) implies additional secrets (Telegram bot token/chat id, Git credentials or SSH key) are needed. This mismatch is a high-risk omission: secrets are required by the code but not declared or scoped in the skill manifest.
!
Persistence & Privilege
The skill is not always-enabled, but it is configured for automated cron execution and performs persistent actions: writing daily notes into /root/clawd/obsidian-vault and auto-pushing to a GitHub repo. It also invokes scripts in another skill directory (/root/clawd/skills/qveris). Those behaviors give it ongoing write/network capabilities and cross-skill execution scope that should be explicitly declared and limited.
What to consider before installing
This package is inconsistent: the code expects API keys and performs filesystem and network actions (Brave Search API, Telegram send, writing to /root/clawd/obsidian-vault, and git push), but the manifest declares no required credentials or dependencies. Before installing or enabling it, ask the author to: (1) list all required environment variables (BRAVE_API_KEY, Telegram bot token/chat id, any GIT credentials) and explain how credentials are stored; (2) declare the dependency on the local qveris skill and confirm what scripts it will execute; (3) confirm the Obsidian path and GitHub push behavior and why those external writes are necessary; (4) provide an install spec or dependency list (aiohttp, etc.). If you cannot obtain clear answers, run the skill in a sandbox or disable autonomous/cron execution and inspect its network calls (and verify that git pushes and Telegram messages cannot occur without explicit, separate credentials). Additional information (explicit env var list, a readme for qveris dependency, or limiting the skill to return results without auto-push/send) would raise confidence and could reclassify this as benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk974gy6fpgc40vcrqvmh12bpnd81em36
838downloads
0stars
3versions
Updated 15h ago
v1.0.4
MIT-0
Yonghao Zhao@yonghaozhao722
latest
Download

Fund News Summary Skill

Purpose

Automatically collects and summarizes the latest core news for specified funds across multiple markets.

Supported Markets

  • US Markets: NASDAQ, S&P 500
  • Europe: European equity markets
  • Japan: Japanese stock market
  • Commodities: Gold
  • Prediction Markets: Polymarket and prediction market news

Execution

Automatic (Cron Job)

This skill is bound to the DailyFundNews cron job, executing automatically at 11:00 Beijing Time daily.

Manual Trigger

User can ask:

  • "Get today's fund news"
  • "Show market updates"
  • "What's the latest on my funds?"
  • "Run fund news summary"

When triggered, the Agent should:

  1. Run the script: python3 /root/clawd/skills/fund-news-summary/fund_news.py
  2. Read output: The script automatically generates a report and outputs to stdout
  3. Send to Telegram: Send the script output directly to Telegram

Script Features

  • Multi-market coverage: US, Europe, Japan, Gold, Polymarket
  • Rate limiting: Maximum 2 concurrent searches, 1.5 second request interval
  • Retry mechanism: Automatic retry on rate limit
  • Error handling: Individual fund failures don't affect others
  • Formatted output: Bold list format
  • Obsidian sync: Saves Chinese version to Obsidian
  • Auto GitHub push: Automatically pushes to GitHub after generation

Fund Configuration

The script has built-in keywords for:

  • 华宝纳斯达克精选股票 (QDII)C
  • 摩根欧洲动力策略股票 (QDII)A
  • 摩根日本精选股票 (QDI)A
  • 易方达黄金 ETF 联接 C
  • 标普500 (S&P 500 Index)
  • Polymarket / 预测市场

Error Handling

Common Issues

Issue: Script fails with "Rate limit exceeded"

  • Cause: Too many requests to search API
  • Solution: Script has built-in retry with exponential backoff. Wait 5 minutes and retry.

Issue: Empty or partial report

  • Cause: Some fund APIs may be temporarily unavailable
  • Solution: Check individual fund sources. The script continues even if some funds fail.

Issue: GitHub push fails

  • Cause: Network issue or authentication expired
  • Solution: Report success/failure in output. User can manually push if needed.

Output Format

The script outputs a formatted report with:

  • Market name and fund name (bold)
  • Key news summary with bullet points
  • Last updated timestamp

Data Storage

  • Obsidian save path: /root/clawd/obsidian-vault/reports/fund/YYYY-MM-DD.md
  • Filename format: YYYY-MM-DD.md
  • Language: Chinese (translated from English API results)
  • GitHub repo: https://github.com/YonghaoZhao722/yonghao-notes
  • Branch: master

Manual Execution (Debug)

cd /root/clawd/skills/fund-news-summary
python3 fund_news.py

Comments

Loading comments...