Back to skill
Skillv1.0.0
ClawScan security
Find Profitable Stocks · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 4:54 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is instruction-only and its requirements (internet access, Python + requests, and calling East Money public APIs) are consistent with its stated purpose of screening stocks by free cash flow and fundamentals.
- Guidance
- This is an instruction-only stock-screening skill that uses public East Money endpoints and falls back to demo data when offline. Before installing: ensure the agent environment has internet access and Python + requests available; understand that the skill will query public financial APIs (push2.eastmoney.com) so check any applicable data usage or licensing terms if you use results for commercial/trading decisions; the skill does not request credentials or access local files, but you should still verify outputs and not rely solely on automated scores for investment decisions. If you require other data sources (e.g., US exchanges), confirm the skill supports them or adjust accordingly.
Review Dimensions
- Purpose & Capability
- okName/description (screening by FCF and fundamentals) align with the instructions which fetch financial data from public APIs and compute health scores; nothing requested is unrelated to stock screening.
- Instruction Scope
- okSKILL.md explicitly limits actions to fetching public market data (push2.eastmoney.com), computing scores, and returning metrics. It does not instruct reading local files, collecting unrelated system data, or sending data to third parties beyond the listed public API.
- Install Mechanism
- okNo install spec (instruction-only). The declared runtime requirements are minimal (Python 3.x and requests); no downloads or installers are specified, so nothing will be written to disk by the skill itself.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. That is proportionate to its purpose; public API access and demo fallback are described without asking for secrets.
- Persistence & Privilege
- okalways is false and the skill does not request permanent presence or system-wide config changes. Autonomous invocation is allowed by default but is not combined with other red flags.