Back to skill
Skillv1.3.0
ClawScan security
Stock Filter Skills · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 18, 2026, 3:53 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, declared requirements, and runtime instructions are consistent with a CLI wrapper that talks to a user-supplied stock-data API; requested credentials and binaries match its purpose.
- Guidance
- This package appears to be a straightforward Node CLI that calls whatever API you point it at. Before installing: (1) only set STOCK_API_BASE_URL to a host you trust — the skill will send your STOCK_API_KEY in X-API-Key headers to that host; (2) create an API key with limited scope/permissions and expiration (do not reuse high-privilege keys); (3) inspect the included source (src/*.js) if you are concerned — it only uses fetch and dotenv and calls API paths under /api/v1; (4) run npm install in an isolated environment (or sandbox/container) if you want to limit risk from third-party packages; (5) avoid placing unrelated secrets in the skill directory .env because dotenv will load them. If you need higher assurance, confirm the API_BASE_URL points to your backend or a trusted provider and verify the package author/source before publishing to production.
Review Dimensions
- Purpose & Capability
- okName/description (stock filtering, Jiuyan, Douyin hotspots) match the implemented tools. Required binary (node) and primaryEnv (STOCK_API_KEY) are appropriate for a client that sends requests to an API at STOCK_API_BASE_URL. No unrelated credentials or surprising capabilities are requested.
- Instruction Scope
- noteSKILL.md instructs running npm install in the skill folder and executing the included CLI (node src/main.js ...) with the working directory set to the skill baseDir. The code uses dotenv to load .env from the package root (expected for a CLI), which will populate process.env — the runtime only uses STOCK_API_BASE_URL, STOCK_API_KEY and optional STOCK_API_TIMEOUT. This is generally within scope, but be aware dotenv will load any other keys present in .env in that directory.
- Install Mechanism
- noteThere is no automated install spec in the registry (instruction-only), but package.json and package-lock.json are included and SKILL.md instructs the user to run npm install. The only runtime dependency is dotenv from the public npm registry. No arbitrary remote downloads, extract steps, or non-standard installers are present.
- Credentials
- okThe skill requires STOCK_API_BASE_URL and the primary credential STOCK_API_KEY (plus optional timeout). These are proportionate for an HTTP API client. No other unrelated secrets, config paths, or broad credentials are requested.
- Persistence & Privilege
- okThe skill does not request always:true and does not modify other skills or global agent settings. It performs network requests only to the user-specified API_BASE_URL. Autonomous invocation is allowed (platform default) and does not by itself raise additional concerns here.