Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Smc Trading Signal
v1.0.1SMC 聪明钱交易信号监控,1H 定方向 +15M 入场,ATR 动态止盈止损。支持黄金/加密货币/外汇。
⭐ 0· 74·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to be a Python-based trading signal monitor — python3 is a reasonable requirement. However the declared required binary 'uv' is unexplained and not referenced in the scripts; this is an incoherence that should be justified or removed. Otherwise the files (monitor.py / monitor_v2.py, config/*.json) and described features match the stated purpose.
Instruction Scope
SKILL.md tells the agent to run the included Python script and edit config files — that aligns with the purpose. Implementation details to note: monitor.py exec()'s the contents of monitor_v2.py (running code by reading+exec is riskier than a normal import), the scripts perform network requests to external data sources (sina/yahoo), and the sina request intentionally sets verify=False (disables TLS verification). The scripts write output files under the skill workspace. None of these actions contradict the stated purpose, but exec() and disabled TLS are implementation risks to review.
Install Mechanism
There is no install spec (instruction-only install), which is the lowest installer risk. The package relies on Python libraries (requests, optional akshare) but does not declare or install them — the user will need to provide these. No remote downloads or installers are executed by the skill metadata itself.
Credentials
The skill declares no required environment variables or credentials, which is appropriate for a read-only market-data signal generator. The scripts do perform outbound HTTP calls to public finance APIs (expected). There are no requests for unrelated credentials or system-level config paths.
Persistence & Privilege
The skill does not request always:true or other elevated platform privileges. It does write signal files into its own workspace/output directory and suggests adding a cron job via openclaw — both are within expected behavior for a monitoring skill and do not appear to modify other skills or global agent settings.
What to consider before installing
Things to check before installing:
- Ask the maintainer why the skill metadata lists a required binary named 'uv' — it's not referenced by the scripts and may be a metadata mistake.
- Inspect monitor_v2.py fully (it is executed via exec in monitor.py). Exec-ing a local file runs arbitrary code from the skill directory; confirm its contents are acceptable and review for hidden actions.
- Note the scripts call external endpoints (hq.sinajs.cn and Yahoo). The Sina request disables TLS verification (verify=False), which can make network traffic vulnerable to interception—consider running only on a trusted network or patching the request to enable certificate verification.
- The skill doesn't require secrets, but it performs network I/O and writes output files under the skill workspace. Run it first in a sandbox or isolated environment, and create a Python virtualenv with explicit pip installs (requests, akshare if you need it) rather than relying on system packages.
- The SKILL.md and README point to a GitHub repo; review that repository and recent commits for further context and verify the maintainer identity before trusting signals for live trading.
- Because the skill is not marked for automatic trading, it will only produce signals — do not provide any trading API keys unless you explicitly add and audit code to support safe automated execution.Like a lobster shell, security has layers — review code before you run it.
latestvk97fdg9a8get5ghd6c57cfe5en83gv8a
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📈 Clawdis
Binspython3, uv