Back to skill
Skillv1.0.0
ClawScan security
stock-portfolio-zh-aisa · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 18, 2026, 12:58 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code, requirements, and SKILL.md are internally consistent for a portfolio tool that queries AISA (LLM-style) for prices and stores portfolios locally, with minor implementation and disclosure caveats.
- Guidance
- This skill appears to do what it says: it stores portfolios locally and uses the AISA API (via the provided API key) to fetch prices. Before installing: (1) Confirm you trust the AISA provider because the skill sends tickers and related prompts to their API; (2) Be aware the script uses an LLM-style request to return numeric prices (LLMs can hallucinate values) — consider validating prices against a known market-data source; (3) The code may read optional env vars (AISA_BASE_URL, AISA_MODEL, CLAWDBOT_STATE_DIR) that aren’t listed as required — if you set those, they will affect behavior; (4) Review the Python dependency (openai) and run the script in a sandbox or virtualenv if you want to inspect network calls. If you need tighter privacy, avoid putting sensitive identifiers in portfolios or run a version that queries a trusted market-data API instead of a chat model.
Review Dimensions
- Purpose & Capability
- okName/description (manage portfolios with live AISA prices) aligns with the code and declared requirement (AISA_API_KEY) and required binary (python3). The included Python script implements the described create/list/add/show/rename/delete operations and uses AISA to fetch prices.
- Instruction Scope
- noteSKILL.md instructs running scripts/portfolio.py which matches the shipped script. The runtime code reads/writes a local state file (.clawdbot/skills/stock-analysis/portfolios.json) (documented) and uses environment variables AISA_API_KEY, and optionally AISA_BASE_URL, AISA_MODEL, and CLAWDBOT_STATE_DIR. Only AISA_API_KEY is declared as required; the other env vars are used but not listed as required in the metadata.
- Install Mechanism
- okNo install spec is provided (instruction-only). The script references a Python dependency (openai) in comments but does not force any download or run-time install. No remote archives or obscure URLs are fetched at install time.
- Credentials
- noteOnly AISA_API_KEY is requested as a required credential which is proportional to calling the AISA API. However the script can also read AISA_BASE_URL and AISA_MODEL (not declared) and will transmit tickers to the AISA endpoint — that means portfolio tickers/requests are sent to the external AISA service (expected for price queries but worth noting).
- Persistence & Privilege
- okalways:false and user-invocable:true. The skill only writes its own local state file under a repo-local .clawdbot directory (or a directory set by CLAWDBOT_STATE_DIR). It does not modify other skills or system-wide configs.