Astock Daily
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s stock-email purpose is mostly coherent, but it handles email credentials unsafely, hard-codes a recipient mailbox, and includes privileged DNS/cron setup steps that users should review carefully.
Install only after editing the recipient email, removing hard-coded credentials, disabling any password logging, keeping SMTP TLS verification on, and reviewing whether you really want cron persistence or /etc/hosts changes. Prefer using a dedicated app password with minimal privileges, and do not run test-smtp.js in its current form.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running this script may attempt to use a hard-coded mail account, and the exposed credential indicates unsafe secret handling.
The SMTP test script embeds a mailbox username and a real-looking password directly in source code and uses them for authentication.
const user = '8@batype.com'; const pass = '960515@ss.com';
Do not run the SMTP test as-is. Remove hard-coded credentials, rotate any exposed password, and require user-provided secrets through a declared secure configuration path.
A user’s mail password or app password could be written to console/cron logs and could be exposed over a connection that does not verify the server certificate.
The main mail-sending path prints the SMTP password to logs and disables TLS certificate verification for secure SMTP by default.
console.log({
host: config.host,
port: parseInt(config.port) || 587,
secure: config.secure || false,
auth: {
user: config.user,
pass: config.pass,
},
});
const tlsConfig = config.tls || (config.secure ? { rejectUnauthorized: false } : undefined);Never log passwords, mask secrets in diagnostics, keep TLS certificate verification enabled, and delete any logs that may already contain SMTP secrets.
A user may configure their own SMTP account and unintentionally send reports to 8@batype.com unless they notice and change the code/configuration.
The skill says it emails the user, but its documented/default recipient is a fixed mailbox rather than being collected from the installer.
每日获取 A 股新股发行信息和 20 元以下的精选股票,通过邮件发送给用户。 ... - 邮箱:8@batype.com
Prompt for the recipient address during setup, avoid hard-coded personal addresses, and clearly disclose who receives each email before sending.
This can affect all mail software on the machine and may route SMTP traffic unexpectedly, especially when combined with disabled TLS verification.
The helper script asks for sudo and permanently changes system-wide DNS resolution for SMTP domains by appending fixed IP mappings to /etc/hosts.
sudo sh -c 'echo "47.246.165.89 smtp.qiye.aliyun.com" >> /etc/hosts' sudo sh -c 'echo "47.246.165.89 smtp.mxhichina.com" >> /etc/hosts'
Avoid modifying /etc/hosts unless necessary, provide a clear rollback command, validate current DNS instead of pinning IPs, and require explicit user approval.
If enabled, the skill will continue running in the background and may keep using network access and SMTP credentials on a schedule.
The setup script can create a recurring weekday cron job that runs the skill and writes logs.
CRON_LINE="30 9 * * 1-5 cd $SCRIPT_DIR && source .env && /opt/homebrew/bin/node index.js >> /tmp/astock-daily.log 2>&1" ... (echo "$CURRENT_CRON"; echo "$CRON_LINE") | crontab -
Only enable the cron job if you want automatic daily emails; check `crontab -l` and remove the entry if you no longer use the skill.