Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
astock-research
v1.2.0A股深度投研分析框架,参考同花顺/萝卜投研体系,包含基本面(宏观+微观)、资金面、技术面、情绪面、消息面五大维度。用于深度分析A股上市公司,制定交易预案。
⭐ 3· 1.4k·10 current·12 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims no required credentials or binaries, yet the bundled script sets and uses a QVERIS_API_KEY and invokes a qveris tool at an absolute path. A stock research skill legitimately needs API access, but that should be declared (and configured by the user), not hardcoded into a shipped script or tied to another skill's workspace.
Instruction Scope
SKILL.md itself is an instruction-only research framework (no explicit runtime commands), but the provided scripts run an external tool (~/.local/bin/uv) against /home/ubuntu/.openclaw/workspace/skills/qveris/scripts/qveris_tool.py and export an API key. The script therefore accesses filesystem paths and environment state outside the skill's declared scope and will cause network calls using the embedded key.
Install Mechanism
There is no install spec (instruction-only), so nothing additional is written to disk by an installer. However, that lowers supply-chain risk but does not mitigate the risky behavior in the included script.
Credentials
The script embeds a likely secret (QVERIS_API_KEY with an sk- prefix) even though requires.env declares none. Requiring or embedding a service API key without documenting it is disproportionate and may leak credentials or rely on someone else's key. The script also assumes specific home paths ( /home/ubuntu/... ) which are unrelated to the stated portable purpose.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. However, because it contains an embedded API key and will make network calls when invoked (and the platform allows autonomous invocation by default), the combination increases potential for undesired external access if the skill is run automatically.
What to consider before installing
Do not install or run this skill until you verify its source and fix the script. Specific concerns: the script contains a hardcoded API key (sk-...), which is a secret and may be abused; it calls a tool at an absolute path in another skill's workspace (/home/ubuntu/.openclaw/.../qveris_tool.py), so it assumes a specific environment; and it will make network requests using the embedded key. Ask the author for a version that: (1) removes the embedded key and documents required credentials so you can supply your own; (2) does not reference hardcoded absolute paths (use relative paths or a documented dependency); (3) explains what external service (QVeris) it calls and why; and (4) provides provenance (homepage, repo, author contact). If you must run it, do so in an isolated sandbox, block outbound network egress until you audit behavior, and rotate any exposed keys immediately.Like a lobster shell, security has layers — review code before you run it.
analysisvk9775vxh3pj8ygr834hdxhvfbh81vbazastockvk9775vxh3pj8ygr834hdxhvfbh81vbazchinavk9775vxh3pj8ygr834hdxhvfbh81vbazlatestvk9775vxh3pj8ygr834hdxhvfbh81vbazstockvk9775vxh3pj8ygr834hdxhvfbh81vbaztradingvk9775vxh3pj8ygr834hdxhvfbh81vbaz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.