ClawHub
Back to skill
v1.1.0

CNY RMB A股 China A shares Stock

BenignClawScan verdict for this skill. Analyzed Apr 30, 2026, 8:11 PM.

Analysis

This skill appears aligned with its stated purpose of fetching public Weibo and A-share market data, with some user-noticeable dependency, credential-signal, and local-cache considerations.

GuidanceThis skill appears reasonable for public Weibo and A-share market monitoring. Before installing, be aware that it asks you to install an unpinned Python dependency, stores local market snapshots in `.cache/`, and has a metadata/capability mismatch around sensitive credentials. Do not provide passwords, cookies, brokerage credentials, or API keys to this skill.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
akshare (`pip3 install akshare`)

The skill depends on an external Python package without a pinned version. This is expected for the market-data purpose, but unpinned packages can change behavior over time.

User impactInstalling the latest dependency version may introduce unexpected changes or dependency-chain risk.
RecommendationInstall dependencies from a trusted package index and consider pinning a reviewed akshare version in your own environment.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceMediumStatusNote
capability signals / metadata
Capability signals: - requires-sensitive-credentials; Requirements: Required env vars: none; Primary credential: none

The registry credential contract says no credentials are required, while the capability signals include a sensitive-credential requirement. The visible instructions also say public data sources do not need API keys, so this is a credential-contract ambiguity rather than evidence of actual credential use.

User impactA user could be confused about whether credentials are needed, even though the visible artifacts describe public, no-key data sources.
RecommendationDo not provide API keys, cookies, brokerage credentials, or account tokens to this skill unless a future version clearly documents and scopes that need.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
SKILL.md
自动保存每日数据到 `.cache/`

The skill discloses persistent local snapshot caching for historical comparisons. This is purpose-aligned, but it means retrieved market data can persist across runs.

User impactCached market snapshots may remain on disk and influence later comparison reports.
RecommendationDelete the skill's `.cache/` directory if you do not want historical snapshots retained.