Skillv1.0.1

ClawScan security

A股数据分析 (AkShare) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 28, 2026, 9:08 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is coherent with its stated purpose (using AkShare to fetch A‑share/HK/US market data) and requests no credentials, but it contains sloppy bugs and a mismatch between the README warning and the script's implementation that you should review before use.
Guidance: This skill appears to do what it claims — it wraps AkShare calls to fetch market and financial data and does not request credentials. However: - Review and test the script before use: get_fund_flow references an undefined symbol (likely should be ak.stock_individual_fund_flow) and will raise errors. - The script uses full-market endpoints (ak.stock_zh_a_spot_em()) for realtime/search; those endpoints return many rows and are slow (~70s) as the README warns. If you only need individual stocks, change calls to the per‑symbol APIs to avoid heavy network/CPU usage and large data downloads. - The SKILL.md contains a small typo in the pip instruction ('uv pip install akshare'); run pip install akshare yourself (preferably in a virtual environment). - AkShare itself fetches data from third‑party sources (EastMoney, Sina, etc.); expect network requests and respect rate limits and legal/usage terms of those sources. - As a precaution, run the code in a sandbox or isolated environment, verify the akshare version, and inspect network activity if you have strict security requirements.

Purpose & Capability: okName/description promise AkShare-based market and financial data; the code and SKILL.md call akshare APIs accordingly. No unrelated credentials, binaries, or installs are requested.
Instruction Scope: noteSKILL.md instructs installing and using akshare and documents many APIs. It warns against using full-market endpoints for single-stock queries, but the included script uses full-market endpoints (ak.stock_zh_a_spot_em()) for realtime queries and search, which is inconsistent and can be slow/expensive. There are minor typos (e.g., 'uv pip install akshare') and a coding bug: get_fund_flow calls stock_individual_fund_flow(...) without qualifying it with ak. These are scope/implementation problems, not evidence of data exfiltration.
Install Mechanism: okNo automated install spec; SKILL.md suggests pip installing akshare. No arbitrary downloads or archive extraction are present in the bundle.
Credentials: okThe skill declares no required env vars, no credentials, and the code does not read external credential-related environment variables. Proportional to purpose.
Persistence & Privilege: okalways:false and no special persistence or modifications to other skills or system configs. Skill can be invoked by the agent (normal behavior).