stock-analysis
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: chaogu Version: 1.0.0 The skill's stated purpose of A-share market data analysis is benign. However, multiple scripts (`scripts/check_sectors.py`, `scripts/recommend.py`, `scripts/recommend2.py`, `scripts/recommend3.py`, `scripts/simple_analysis.py`) contain hardcoded Windows-specific file paths (e.g., `C:/Users/chenyaoan/Desktop/stock_data.csv`). Critically, `scripts/simple_analysis.py` attempts to write data to this fixed, non-skill-specific location. This uncontrolled file write is a significant vulnerability that could lead to unintended file creation, modification, or data loss on a user's system. While there is no evidence of malicious intent like data exfiltration or backdoor installation, these hardcoded paths and the uncontrolled file write represent serious flaws in development practice.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the installer can modify the user's Python environment and depends on whatever versions are currently served by package repositories.
The user-run installer installs third-party packages without version pinning. This is aligned with the stock-data purpose, but it relies on the current package supply chain.
subprocess.run([sys.executable, "-m", "pip", "install", "akshare", "pandas"], check=True)
Install in a virtual environment, verify package sources, and prefer pinned dependency versions or a declared install spec.
If enabled, the agent may keep running scheduled stock-analysis prompts and producing recommendations on an hourly basis.
The skill documents an optional recurring hourly agent task. This persistence is disclosed and purpose-aligned for automatic stock analysis, but it continues until removed.
openclaw cron add ... --cron "0 * * * *" ... --agent main ... --session isolated
Only create the cron task if ongoing analysis is desired, and use the documented cron list/remove commands to review or stop it.
If this script runs on a matching Windows path, it may create or overwrite stock_data.csv on the Desktop.
An auxiliary script writes market data to a fixed Desktop path outside the skill directory. This is related to the skill's purpose, but it is not scoped to a user-approved or portable location.
df.to_csv('C:/Users/chenyaoan/Desktop/stock_data.csv', index=False, encoding='utf-8-sig')Change the output to a user-selected path or a skill-local data directory, and ask before overwriting files.
Some documented commands may fail or cause confusion about which reviewed script should be run.
The documentation presents quick_analysis.py as a primary script, but the supplied file manifest does not include that file, indicating a packaging/documentation mismatch rather than malicious behavior.
python ~/.openclaw/skills/stock-analysis/scripts/quick_analysis.py
The publisher should align the documentation with the manifest or include the referenced scripts.