Skillv1.0.2

ClawScan security

stock-manage-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 18, 2026, 2:28 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, runtime instructions, and dependencies are consistent with a local stock/order/rule manager that fetches public market data and stores everything under a local data/ directory.
Guidance: This skill appears internally consistent with its stated purpose. Before installing: (1) be aware it will install Python packages from PyPI (requests, akshare, yfinance, pandas) — review those dependencies and install in a virtual environment; (2) the skill makes outbound HTTP(S) requests to public finance APIs (qt.gtimg.cn, hq.sinajs.cn, Yahoo/akshare) to fetch data; ensure this is acceptable in your environment; (3) it stores data and logs under a local data/ directory (orders, rules, stock_info, logs) and creates backups — confirm file location and permissions; (4) run the code in a sandbox or review the code yourself if you need higher assurance. No credentials are required by the skill.

Purpose & Capability: okName/description match the delivered artifacts: modules implement order management, rule management, stock-info fetching, and log management. Required packages (requests, akshare, yfinance, pandas) are appropriate for fetching and processing market data.
Instruction Scope: okSKILL.md and code instruct the agent to run local Python commands and operate on local files under a data/ directory. The instructions do not request unrelated system files, credentials, or exfiltration to unexpected endpoints; network calls are limited to public finance APIs (Tencent, Sina, Yahoo, akshare/yfinance).
Install Mechanism: noteThere is no install spec but repository includes Python code and a requirements.txt pointing to PyPI packages. This is normal but means pip install of dependencies will be required before use (moderate risk from third-party packages). No downloads from arbitrary URLs or archives were found.
Credentials: okThe skill requests no environment variables or credentials (primaryEnv none). That is proportionate: the code uses public APIs and local file storage. No secrets are required or referenced in the source.
Persistence & Privilege: okalways:false and user-invocable:true (defaults) — normal. The skill writes only to its own data/ subdirectories (orders, rules, stock_info, logs) and does not modify other skills or global agent settings.