Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
A 股全流程量化决策系统
v1.0.1A股实盘全流程量化分析助理。让AI像专业交易员一样盯盘、分析、复盘,真金白银的决策有数据撑腰。 解决的问题:不知道能不能买→五关论证完整逻辑链;不知道何时止损→跌破即出铁律; 担心被庄家割→OBV+不对称比识别出货;每天盯盘累→cron四段式全自动播报; 复盘不长进→结构化模板强制自我校验,错误永久沉淀。 武器库...
⭐ 0· 196·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the instructions: it pulls Eastmoney market data, computes indicators, drives cron-based monitoring, and writes local memory/log files. Optional components (Datasaver, InStock container) are relevant to the stated purpose. Minor incoherence: the skill expects a workspace config file (.mcp.json) and optional tokens/cookies but the manifest declared no required config paths or credentials.
Instruction Scope
SKILL.md instructs the agent to read/write local files (MEMORY.md, memory/*.md), to read a workspace config (~/.openclaw/workspace/.mcp.json) and to accept/paste browser cookies and a Datasaver API key. Those file and credential accesses are within scope for an automated trading assistant but are sensitive and were not declared in requirements. The skill also suggests running Docker commands for InStock and registering cron tasks that will trigger autonomous agent turns — these give the skill ongoing access to local state/data when scheduled.
Install Mechanism
This is instruction-only with no install spec or remote downloads, which is low risk. No external binary installs are requested by the manifest.
Credentials
Although no env vars or primary credentials are declared in the registry, the documentation clearly asks for optional sensitive tokens: Datasaver dev_id and api-key (to be placed into .mcp.json) and an EastMoney browser Cookie for higher API stability. Those credentials are directly relevant to the feature set, but the manifest should have declared the config path or optional credential requirements. The skill also recommends injecting a Bearer token into a local MCP config pointing at https://datasaver.deepminingai.com — this third‑party endpoint and the practice of pasting cookies/tokens into local files raises confidentiality concerns.
Persistence & Privilege
always:false (good). The skill's workflow encourages registering recurring cron tasks which will cause autonomous agent runs on a schedule and writing to MEMORY.md and memory logs. That persistence is coherent with the skill's purpose (automated monitoring), but users should be aware scheduled runs grant ongoing access to their workspace data and any credentials stored there.
What to consider before installing
This skill appears to be what it claims (an automated A‑share analyst) but it asks you to provide or store sensitive items that are not declared in the registry metadata. Before installing:
- Treat Datasaver dev_id/api-key and Eastmoney browser Cookie as sensitive. Do not paste them into shared environments or public chat. If you must use them, store them in a secure local config and rotate them regularly.
- The skill instructs adding a .mcp.json entry pointing at https://datasaver.deepminingai.com — verify you trust that service before putting secrets there.
- If you do not want the agent to run autonomously on a schedule, do not register the cron tasks (or review their payloads first). Scheduled tasks will cause the agent to read your MEMORY.md and other workspace files on each run.
- Because the manifest did not declare required config paths/credentials, assume the skill expects you to create/modify files in your workspace; restrict this to an isolated project/workspace if possible.
- Prefer running optional components (Datasaver, InStock Docker) in controlled, local environments. If you prefer more privacy, skip Datasaver and rely on the core curl/push2 endpoints (the SKILL claims core features still work without these optional tokens).
If you want me to: I can extract the exact lines that reference credentials and config paths, or produce a checklist to safely provision this skill (what to store where and what not to paste in public).Like a lobster shell, security has layers — review code before you run it.
latestvk9793s58e6eg8sbc3258wdbzgd833m6t
License
MIT-0
Free to use, modify, and redistribute. No attribution required.