Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
缠论股票分析投研报告
v1.0.0缠论+基本面+财报+估值综合股票分析技能,生成专业投研报告(含 PDF)。 Use when: 用户提供股票代码,要求进行深度股票分析、缠论技术分析、基本面研究、财报解读、估值分析、综合投研报告。 NOT for: 实时行情播报、简单股价查询、非股票类金融分析。 触发词:缠论分析、股票分析报告、技术面+基本面、综...
⭐ 0· 80·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (缠论 + fundamentals + valuation, output PDF) align with the instructions which describe data collection, technical/fundamental analysis and PDF generation. Declaring python3 as a required binary is reasonable for PDF generation, though no code files are present (this is an instruction-only skill that expects to call other skills/tools).
Instruction Scope
SKILL.md instructs the agent to fetch real‑time market data, financial statements, moneyflow, and to run multi‑indicator technical analysis and generate a PDF. It explicitly uses a separate 'finance-data-retrieval' skill and WebSearch queries. The instructions do not tell the agent to read local config files or secrets, but they will transmit the provided company/ticker to external services and web searches—expected for this purpose but a privacy/network activity to be aware of.
Install Mechanism
No install spec is provided (instruction-only), so nothing is written to disk by an installer. README says Python runtime will auto-install 'reportlab' at first run—this implies the agent or runtime will perform pip installs at runtime over the network; that behavior is not declared in registry metadata. No downloads from untrusted URLs are present in the package itself.
Credentials
Registry metadata lists no required env vars, but README and SKILL.md instruct the user to install 'finance-data-retrieval' and to set a TUSHARE_TOKEN environment variable (tushare.pro). This is an undeclared but necessary credential for data retrieval. The skill therefore has an indirect credential dependency that is not represented in metadata. Also, runtime pip installs (reportlab) could require network access. User should verify and trust the external 'finance-data-retrieval' skill before providing its token.
Persistence & Privilege
always=false and the skill does not request persistent system-level privileges or config path access. It does instruct installation/use of another skill, but it does not claim to modify other skills or force-enable itself. Autonomous invocation is enabled by default (normal) but not combined with other high privileges here.
What to consider before installing
This skill is broadly consistent with its stated purpose (deep stock research + generated PDF), but there are a few important mismatches and implicit dependencies you should address before installing:
- Metadata vs docs mismatch: registry metadata lists no required environment variables, but README and SKILL.md say you must configure TUSHARE_TOKEN and install the 'finance-data-retrieval' skill. Treat TUSHARE_TOKEN as effectively required.
- Trust chain: the skill delegates data collection to a separate skill (finance-data-retrieval). Only provide your Tushare token if you trust that other skill and its publisher.
- Runtime network activity: the skill will perform WebSearch calls and fetch market/financial data and may auto-install Python packages (reportlab) at runtime. Expect outbound network traffic and package installs.
- Ask the author (or the publisher) to update metadata to explicitly declare required env vars (TUSHARE_TOKEN) and the Python dependency (reportlab) so the registry accurately reflects what will be needed.
If you need to use this skill: ensure the finance-data-retrieval skill is from a trusted source, create a minimal-scope Tushare account/token if possible, and run initially in a controlled environment (or sandbox) until you confirm behavior. If the publisher cannot or will not update the metadata to declare the Tushare/token requirement, treat that as a red flag.Like a lobster shell, security has layers — review code before you run it.
latestvk972ss933c2j7nz03gxb8v5ct183n4hx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📈 Clawdis
OSWindows · macOS · Linux
Binspython3
Any binpython3, python