Skillv1.0.0

ClawScan security

同花顺问财ETF选股 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 7, 2026, 1:56 AM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill legitimately queries an external iwencai ETF API, but its metadata and instructions are inconsistent about required environment variables and endpoint configuration, and the package owner is unknown — review before providing API credentials.
Guidance: This skill appears to be a straightforward client for the 同花顺/问财 (iwencai) API, but exercise caution before installing or enabling it: - Metadata mismatch: The skill's manifest declares no required environment variables, but the instructions and CLI code require IWENCAI_API_KEY (and refer to IWENCAI_API_URL). Do not provide your API key until you confirm the skill legitimately needs it. - Verify the endpoint and owner: The CLI uses https://openapi.iwencai.com/v1/query2data. Confirm that this is the official endpoint and that you trust the unknown owner/publisher before supplying credentials. - Review network behavior: The skill sends your full query text to the external service and may retry with relaxed queries up to 2 times. Avoid sending sensitive or private data in queries because it will be transmitted to an external API and may be logged. - Confirm credential scope: Use an API key with limited scope/usage and monitor its usage. Prefer creating a dedicated key for this skill rather than reusing high-privilege credentials. - Test locally first: Inspect and run the provided scripts locally in a safe environment (without exposing production secrets) to validate behavior and ensure IWENCAI_API_URL usage is as expected (the CLI hardcodes DEFAULT_API_URL and does not read an IWENCAI_API_URL env var despite mentioning it in docs). Given the manifest/instructions inconsistency and unknown publisher, treat this skill as suspicious until you validate the above points.

Review Dimensions

Purpose & Capability: noteThe skill's stated purpose (ETF selection via 同花顺/问财) matches the included code and docs which call an iwencai API. Requiring an API key and making POST queries to an external financial API is coherent with the stated purpose.
Instruction Scope: concernThe SKILL.md and scripts/cli.py instruct the agent to send user queries to an external API (openapi.iwencai.com) and to retry with relaxed queries up to 2 times. SKILL.md also allows calling 'other financial tools or search tools' at the agent's discretion (broad). Critically, the runtime instructions reference the environment variable IWENCAI_API_KEY (and mention IWENCAI_API_URL) while the skill metadata declared no required env vars — this mismatch means the agent may attempt network calls that require secrets not declared to the platform.
Install Mechanism: okNo install spec; there is a single CLI script using only Python standard library. No downloads or third-party packages are installed, which minimizes install-time risk.
Credentials: concernThe code requires an API key (IWENCAI_API_KEY) for authentication and the docs mention IWENCAI_API_URL; however, the registry metadata lists no required env vars. Asking for an API key is proportionate to the task, but the omission from metadata is a mismatch and increases the chance a user would inadvertently supply credentials without realizing the skill needs them. The skill does not request unrelated credentials, but the missing declaration is a red flag.
Persistence & Privilege: okalways:false and no special persistence or system-wide configuration changes. The skill does not request elevated/always-on privileges in the manifest.