Skillv1.0.0

ClawScan security

Jarvis Stock Price · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 22, 2026, 3:26 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (query A‑share prices) matches the code, but there are small yet important inconsistencies (undeclared dependency, mention of Tushare but no API token) that make the package incoherent and worth caution before installing.
Guidance: This skill appears to implement price queries and promotional messaging, but there are practical inconsistencies to resolve before installing: 1) index.js requires an external module '@tdx-local' but the skill declares no dependencies or install steps — ask the author how that module is provided and whether it executes network or filesystem operations. 2) SKILL.md mentions Tushare (which usually needs an API key) but no env var is requested — confirm whether you must supply a Tushare token and where it will be stored. 3) Because require() will execute module code, only install/run this skill if you trust the source or can sandbox it. Recommended actions: request a dependency list and installation instructions, ask whether any credentials are needed and how they are protected, and run the skill in a restricted environment first. If the author cannot clarify these points, treat the package as risky.

Review Dimensions

Purpose & Capability: noteName/description and SKILL.md describe A‑share real‑time price queries and related indicators, which aligns with index.js functionality. However the SKILL.md mentions two data sources (通达信本地数据 / Tushare) while the code only calls a module '@tdx-local' (通达信 client). The package declares no dependencies or credentials — that mismatch reduces confidence in completeness.
Instruction Scope: noteSKILL.md gives simple, scoped instructions and a promotional link; it does not instruct the agent to read unrelated files or exfiltrate data. The runtime file performs only local data queries and calculations. But SKILL.md references Tushare while code does not, and there are no instructions about installing or configuring the tdx client, so runtime behaviour is underspecified.
Install Mechanism: concernNo install spec is provided, yet index.js requires an external module '@tdx-local'. That creates an incoherence: either the environment must already have that package installed, or runtime will fail or attempt to fetch/resolve it. Missing dependency declaration is a deployment risk and could mask hidden install actions or cause unexpected behavior when the agent tries to run the code.
Credentials: concernThe skill declares no required environment variables, but SKILL.md lists Tushare as a data source — Tushare normally needs an API token. The code does not use any env vars, however the mismatch suggests credentials might be required in some configurations. Lack of declared credentials is an inconsistency the user should clarify.
Persistence & Privilege: okSkill is not marked always:true and does not request system-wide config or other skills' credentials. It does not ask to persist settings or modify other agent configs.