Skillv1.0.0

ClawScan security

Alpha Pulse · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 2:27 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description and README claim a full scanning/prediction/reporting/notification pipeline, but the package only contains a scanner skeleton and no model, predictor, reporting, or notify code — this mismatch and missing configuration details warrant caution.
Guidance: This package appears to be an incomplete implementation: SKILL.md promises a full prediction/report/notify pipeline but only a data scanner (lib/scanner.py) and config.yaml are included. Before installing or using it: 1) ask the author or source for the missing files (factors.py, predictor.py, filter.py, examples/run_tomorrow.py) or a clear install/build instruction; 2) do not provide any API tokens or secrets until you see code that explicitly uses them and you trust the source; 3) if you install Python packages, do so in an isolated virtualenv to limit system impact; 4) request clarification on how the optional tushare token should be provided (env var vs config file); and 5) prefer skills from a verified homepage or author, or review the remaining implementation (prediction/report/notify code) before trusting automated execution. If the missing components are supplied and align with the README (no unexpected network sinks, no secret access), this assessment could change to benign.

Review Dimensions

Purpose & Capability: noteThe name/description (A股次日短线预测) match the included scanner.py and the SKILL.md's stated dependencies (akshare, pandas, xgboost). However SKILL.md documents many modules (factors.py, predictor.py, filter.py, examples/run_tomorrow.py, notify/report features) that are not present in the file manifest — the actual bundle only contains scanner.py and config.yaml, so the delivered capability is incomplete relative to claims.
Instruction Scope: concernRuntime instructions tell the agent to run commands like `alpha-pulse predict`/`report`/`notify` and to install dependencies, but there is no code implementing predict/report/notify in the package. SKILL.md also suggests configuring a tushare token for better data but does not declare where/token name or how it is consumed. The scanner.py itself only uses akshare and reads no environment variables or external endpoints beyond akshare, so the instructions give broader runtime responsibilities than the code supports.
Install Mechanism: okThere is no install spec in the registry (instruction-only). SKILL.md recommends installing Python packages via pip (akshare, pandas, numpy, xgboost) which is a common, expected approach for a Python data tool — no suspicious downloads or obscure URLs are used.
Credentials: noteThe skill declares no required env vars or credentials. SKILL.md mentions an optional 'tushare token' to improve data quality but does not specify an env var name or how it will be stored/used; config.yaml also references 'token' conceptually but provides no token field. This is a minor inconsistency but not in itself a credential-exfiltration indicator.
Persistence & Privilege: okThe skill does not request persistent or privileged presence (always:false). There is no code that modifies other skill configs or system-wide settings; the package is a local script skeleton and does not attempt to install services or persist credentials.