Is kenera/a-share-short-decision safe?
https://github.com/openclaw/skills/tree/main/skills/kenera/a-share-short-decision
This skill is a legitimate bilingual (Chinese/English) A-share stock market analysis tool that uses the AkShare library to fetch live Chinese market data and generate short-term trading signals. The SKILL.md is clean of prompt injection, and no skill code reads sensitive credential files; canary file accesses in the audit log are temporally consistent with oathe's own monitoring checkpoints rather than skill execution. The primary concerns are: (1) the skill instructs agents to run substantial Python code that makes real outbound HTTPS calls to Chinese financial data providers, (2) scheduler.yaml enables fully autonomous execution during Chinese market hours, (3) .clawhub/lock.json lists an undocumented dependency on academic-research-hub that is never called in the code, and (4) the skill produces specific actionable buy signals and position sizing without financial risk disclaimers.
Category Scores
Findings (9)
HIGH SKILL.md instructs agent to run arbitrary Python scripts via shell -25 ▶
The SKILL.md workflow section explicitly tells the agent to execute python3 main.py
HIGH Scheduler defines autonomous recurring execution without user prompting -17 ▶
scheduler.yaml defines three weekday cron jobs at Chinese market hours. If the agent platform processes this file, the skill will execute code and make external API calls autonomously at 14:30, 15:10, and 15:20 CST every trading day.
MEDIUM Extensive outbound HTTPS calls to Chinese financial data infrastructure -20 ▶
Every invocation of the signal engine makes multiple calls to AkShare APIs that send stock symbols, date ranges, and query parameters to external servers operated by East Money and similar Chinese data providers. This is expected for a market data tool but represents non-trivial data egress.
MEDIUM Undocumented dependency on academic-research-hub skill -20 ▶
The .clawhub/lock.json lists academic-research-hub v0.1.0 as an installed dependency with a timestamp predating the current audit session. No import or call to this skill exists in the skill's Python code. The purpose of this dependency is unknown and may indicate bundled behavior that was not included in the audited file set.
MEDIUM Config overwrite capability via --apply-to-config flag -12 ▶
The config-optimization subskill can silently overwrite the base config.json when run with --apply-to-config. SKILL.md documents this as optional but does not prominently warn about the destructive nature of overwriting live configuration.
MEDIUM Actionable financial recommendations without risk disclaimers -17 ▶
The skill outputs specific stock buy signals, confidence scores, stop-loss thresholds, and position sizing (max 15%) that a user or downstream agent could act on financially. No risk disclaimers or investment advice caveats are included in SKILL.md or the output schemas.
LOW Unbounded persistent decision log accumulation -10 ▶
run_prediction_for_date() appends every prediction snapshot to data/decision_log.jsonl with no rotation, TTL, or size limit. Over time this log accumulates stock recommendations, signal scores, and market data that persists beyond individual sessions.
LOW Broad description triggers potential unintended invocation -12 ▶
The skill description includes a wide range of financial keywords ('market sentiment, sector rotation, strong stock scanning, capital flow confirmation, date-based short-term signal scoring') that could match many general finance questions and cause the agent to invoke this skill unintentionally.
INFO Installation pulls from openclaw/skills monorepo via sparse checkout 0 ▶
The installer clones the entire openclaw/skills GitHub monorepo and extracts only the target subpath. This is expected oathe installer behavior. Network connections were limited to GitHub and Ubuntu update servers.