ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

A-Share Claw (A股龙虾)

v0.1.1

A-share paper-trading automation workflow for MX APIs. Use when user asks to run scheduled A-share mock trading, enforce risk limits (single position cap, to...

0· 56·0 current·0 all-time
byZHAO Youjun@youjunzhao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md clearly targets MX APIs and requires an MX_APIKEY (and optional MX_API_URL), which makes sense for an MX-integrated paper‑trading workflow — but the registry metadata lists no required environment variables or primary credential. That mismatch (metadata claims 'none' while runtime needs MX_APIKEY) is an incoherence that should be clarified before use.
!
Instruction Scope
The instructions tell the agent to ensure and run local scripts (mx_autotrade/run_autotrade.py and mx_autotrade/daily_review.py) and to schedule automated runs. The skill bundle does not include these files; executing them would run arbitrary Python code from the user's workspace. The SKILL.md does not include validation, safety checks, or guidance for verifying these scripts' provenance.
Install Mechanism
There is no install spec (instruction-only). That minimizes installer risk because nothing from the skill itself is downloaded or written to disk.
Credentials
The runtime needs a single service credential (MX_APIKEY), which is proportionate to calling MX APIs. However, the registry metadata fails to declare this required env var/primary credential — the omission is an inconsistency and could cause silent failures or unexpected behavior if users are not alerted to provide the key.
Persistence & Privilege
The skill does not request always:true and has no install actions or system-level configuration changes. Model invocation is allowed (default), which is normal; there is no evidence the skill requests elevated persistence or cross-skill config access.
What to consider before installing
This skill is an instruction-only workflow that expects you to already have three local files (config.json, run_autotrade.py, daily_review.py) and an MX API key. Before installing or running: 1) Confirm the registry metadata omission — supply MX_APIKEY only if you trust the MX endpoint and the key is appropriate for paper trading (use a test key if available). 2) Inspect the contents of mx_autotrade/run_autotrade.py and mx_autotrade/daily_review.py line-by-line (or obtain them from a trusted source); do not run them blind because they can execute arbitrary code. 3) Verify that the risk rules (position caps, stale-order cancellation) are actually implemented in those scripts. 4) If you intend to enable scheduled or automated runs, test manually in an isolated environment or container first and ensure any scheduling mechanism is under your control. 5) Ask the skill author to correct the registry metadata to declare MX_APIKEY and to provide provenance or the actual code if they want the skill to be self-contained.

Like a lobster shell, security has layers — review code before you run it.

latestvk975w9x0z0g4dn93j3yfynkxb983s9vw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments