Skillv1.0.0

ClawScan security

股票 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 14, 2026, 3:16 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and automatic-install behavior are consistent with a stock-data helper that uses the thsdk library; nothing in the bundle indicates hidden or unrelated capabilities.
Guidance: This skill appears to do what it says: query stock data via the thsdk library. Before installing, be aware it will attempt to pip install/upgrade the thsdk package at runtime (network download and code execution). Verify that you trust the thsdk package source and that installing packages at runtime is acceptable for your environment. If you plan to access account-restricted data, you may need to provide THS credentials (the skill does not declare required env vars but thsdk supports username/password or env-based config). Consider running the skill in an isolated environment (virtualenv or container) and review the thsdk project and its version (>=1.7.14 recommended) before use.

Review Dimensions

Purpose & Capability: okName/description (stock data via thsdk) align with the included code and helpers: search/resolve functions, kline/realtime wrappers, and a template analyzer. There are no unrelated credentials, binaries, or config paths requested that would be out of scope for a market-data skill.
Instruction Scope: okSKILL.md and the Python code restrict actions to searching symbols, resolving codes, and calling thsdk APIs. The instructions do not instruct the agent to read unrelated system files or exfiltrate data. The code does invoke pip to install thsdk and uses thsdk's THS object, which is expected for its purpose.
Install Mechanism: noteThe skill will auto-run pip install (via subprocess.run) to install/upgrade the thsdk package if missing or old. Using pip is expected here, but runtime installation has moderate risk (it downloads code from package indexes). The install target is a package name (thsdk) rather than an arbitrary URL or archive, which reduces but does not eliminate risk.
Credentials: noteThe skill declares no required environment variables (consistent with the bundle). The bundled references document that thsdk/THS can accept username/password or environment vars for account config, but the skill does not require or automatically read those secrets. If the user supplies THS credentials, the skill will use them via thsdk — this is proportional to the purpose but worth noting since credentials are optional and not declared.
Persistence & Privilege: okThe skill is not force-enabled (always: false) and does not modify other skills or global agent configuration. It will run when invoked and may install a Python package into the runtime environment, but it does not request elevated or persistent agent privileges beyond that.