stock-decision 安全扫描报告 — 低风险 | ClawSafe

10 /100

stock-decision

A 股投资决策助手 - 从共享记忆读取持仓，生成投资决策报告

A legitimate stock investment decision-making skill with no malicious behavior detected. All declared features are implemented, with minor documentation discrepancies that have no security impact.

技能名称stock-decision

分析耗时29.1s

引擎pi

✓

可以安装

This skill is safe to use. Consider pinning the requests library version in requirements.txt for better dependency hygiene.

安全发现 2 项

严重性	安全发现	位置
低危	Undocumented external import Code imports from ~/.openclaw/workspace/shared_memory_loader.py without declaring this dependency `from shared_memory_loader import get_latest_holdings` → Consider documenting that this skill depends on the shared_memory_loader module from the platform	`skill.py:13`
低危	Unimplemented feature in documentation SKILL.md mentions Feishu webhook notifications but the code never implements this functionality `export FEISHU_WEBHOOK` → Either implement the Feishu notification feature or remove it from documentation	`SKILL.md:41`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	skill.py:175 reads SHARED_MEMORY.md
文件系统	`WRITE`	`WRITE`	✓ 一致	skill.py:178 writes to ~/.openclaw/decisions/
网络访问	`READ`	`READ`	✓ 一致	skill.py:45 fetches from qt.gtimg.cn
命令执行	`NONE`	`NONE`	—	No subprocess calls found
环境变量	`NONE`	`NONE`	—	No credential harvesting observed

5 项发现

🔗

中危外部 URL 外部 URL

https://open.feishu.cn/open-apis/bot/v2/hook/xxx

README.md:24

🔗

中危外部 URL 外部 URL

https://docs.openclaw.ai

SKILL.md:77

🔗

中危外部 URL 外部 URL

https://discord.com/invite/clawd

SKILL.md:78

🔗

中危外部 URL 外部 URL

https://clawhub.ai/skills/stock-decision

package.json:9

🔗

中危外部 URL 外部 URL

https://qt.gtimg.cn/q=

skill.py:45

目录结构

5 文件 · 10.3 KB · 374 行

Python 1f · 220L Markdown 2f · 143L JSON 1f · 10L Text 1f · 1L

├─ 📋 package.json JSON 10L · 325 B

├─ 📝 README.md Markdown 65L · 1.2 KB

├─ 📄 requirements.txt Text 1L · 9 B

├─ 📝 SKILL.md Markdown 78L · 1.7 KB

└─ 🐍 skill.py Python 220L · 7.0 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`requests`	`*`	pip	否	Version not pinned - consider constraining to requests>=2.28.0

安全亮点

✓ No credential harvesting or exfiltration observed

✓ No shell command injection vulnerabilities

✓ No suspicious network connections to unknown IPs

✓ No base64 encoded payloads or obfuscated code

✓ No access to sensitive paths like ~/.ssh or ~/.aws

✓ No remote script execution patterns

✓ Stock price API (qt.gtimg.cn) is a legitimate financial data source

✓ Reports are written only to the designated ~/.openclaw/decisions directory