by 安全扫描
OpenClaw
安全
high confidenceThe skill's code, instructions, and requested resources align with its stated purpose (local ETF/fund portfolio management using Yahoo and Tencent finance data); there are minor implementation bugs and documentation mismatches but no signs of covert behavior or disproportionate access requests.
评估建议
This skill appears to do what it says: local portfolio tracking, alerts, and price lookups via Tencent Finance and Yahoo (yfinance). Before installing: 1) Review and optionally run the scripts in an isolated environment (or container) because install.sh will pip-install yfinance into your user Python environment. 2) Note a documentation mismatch: README mentions creating a virtualenv but install.sh does not — if you prefer isolation, create and activate a venv yourself before installing. 3) Be a...详细分析 ▾
✓ 用途与能力
Name/description (ETF portfolio manager, alerts, P/L) match the included scripts: add/remove/list positions and alerts, price lookups (Yahoo + Tencent). No unrelated credentials, binaries, or services are requested.
✓ 指令范围
SKILL.md directs the agent/user to run the included local Python scripts and optionally add a cron job to run check_alerts.py. All file reads/writes are confined to the stated data directory (~/.clawdbot/etf_investor). External network calls are only to expected price data sources (Tencent qt.gtimg.cn and Yahoo via yfinance).
ℹ 安装机制
There is no registry install spec, but an install.sh is included and documented. install.sh runs pip3 install --user yfinance (and a fallback), which pulls from PyPI; no arbitrary URL downloads or extracted archives. Minor inconsistency: README claims a Python virtualenv is created, but install.sh does not create one (it installs into user site-packages).
✓ 凭证需求
The skill requests no environment variables or credentials. It stores data locally under ~/.clawdbot/etf_investor and modifies only its own files. The config.py attempts to add a venv site-packages path to sys.path if present — this is reasonable given optional venv use.
✓ 持久化与权限
always is false and the skill does not request elevated privileges or modify other skills or system-wide config. It creates and deletes its own data directory during install/uninstall and makes its scripts executable.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.1.02026/2/23
更新为腾讯财经API获取A股价格
● 可疑
安装命令
点击复制官方npx clawhub@latest install etf-finance
镜像加速npx clawhub@latest install etf-finance --registry https://cn.longxiaskill.com