stock-decision Security Report — Low Risk | ClawSafe

10 /100

stock-decision

A 股投资决策助手 - 从共享记忆读取持仓，生成投资决策报告

A legitimate stock investment decision-making skill with no malicious behavior detected. All declared features are implemented, with minor documentation discrepancies that have no security impact.

Skill Namestock-decision

Duration29.1s

Enginepi

✓

Safe to install

This skill is safe to use. Consider pinning the requests library version in requirements.txt for better dependency hygiene.

Findings 2 items

Severity	Finding	Location
Low	Undocumented external import Code imports from ~/.openclaw/workspace/shared_memory_loader.py without declaring this dependency `from shared_memory_loader import get_latest_holdings` → Consider documenting that this skill depends on the shared_memory_loader module from the platform	`skill.py:13`
Low	Unimplemented feature in documentation SKILL.md mentions Feishu webhook notifications but the code never implements this functionality `export FEISHU_WEBHOOK` → Either implement the Feishu notification feature or remove it from documentation	`SKILL.md:41`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	skill.py:175 reads SHARED_MEMORY.md
Filesystem	`WRITE`	`WRITE`	✓ Aligned	skill.py:178 writes to ~/.openclaw/decisions/
Network	`READ`	`READ`	✓ Aligned	skill.py:45 fetches from qt.gtimg.cn
Shell	`NONE`	`NONE`	—	No subprocess calls found
Environment	`NONE`	`NONE`	—	No credential harvesting observed

5 findings

🔗

Medium External URL 外部 URL

https://open.feishu.cn/open-apis/bot/v2/hook/xxx

README.md:24

🔗

Medium External URL 外部 URL

https://docs.openclaw.ai

SKILL.md:77

🔗

Medium External URL 外部 URL

https://discord.com/invite/clawd

SKILL.md:78

🔗

Medium External URL 外部 URL

https://clawhub.ai/skills/stock-decision

package.json:9

🔗

Medium External URL 外部 URL

https://qt.gtimg.cn/q=

skill.py:45

File Tree

5 files · 10.3 KB · 374 lines

Python 1f · 220L Markdown 2f · 143L JSON 1f · 10L Text 1f · 1L

├─ 📋 package.json JSON 10L · 325 B

├─ 📝 README.md Markdown 65L · 1.2 KB

├─ 📄 requirements.txt Text 1L · 9 B

├─ 📝 SKILL.md Markdown 78L · 1.7 KB

└─ 🐍 skill.py Python 220L · 7.0 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requests`	`*`	pip	No	Version not pinned - consider constraining to requests>=2.28.0

Security Positives

✓ No credential harvesting or exfiltration observed

✓ No shell command injection vulnerabilities

✓ No suspicious network connections to unknown IPs

✓ No base64 encoded payloads or obfuscated code

✓ No access to sensitive paths like ~/.ssh or ~/.aws

✓ No remote script execution patterns

✓ Stock price API (qt.gtimg.cn) is a legitimate financial data source

✓ Reports are written only to the designated ~/.openclaw/decisions directory

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives