Back to skill
Skillv1.0.0
ClawScan security
stock-analysis-zh · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 17, 2026, 3:32 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requirements and code are consistent with a cloud-based AISA-backed stock/crypto analysis tool, but there are small omissions (undeclared optional env vars and Python dependency) you should check before installing.
- Guidance
- This skill appears to do what it says: it sends tickers and an analysis prompt to an AISA-compatible API and returns the model output. Before installing: (1) Only provide an AISA_API_KEY you trust and scope that key minimally (read-only if possible); (2) be aware the script will transmit the tickers/queries to the remote AISA endpoint (default https://api.aisa.one/v1); (3) the project requires the Python 'openai' package (install via pip) but has no install spec — verify and install dependencies in a controlled environment; (4) confirm whether you want to override AISA_BASE_URL or AISA_MODEL (optional env vars used by the script) and verify the upstream service URL; (5) review the referenced GitHub repo in _meta.json if you want additional provenance. If you need the skill to never send data externally, do not install it.
Review Dimensions
- Purpose & Capability
- okName/description request live financial analysis and the skill requires an AISA API key and python3; the included script calls an AISA-compatible API and builds prompts to fetch live data, which matches the stated purpose.
- Instruction Scope
- noteSKILL.md instructs running the provided Python client (python3 scripts/analyze_stock.py). The script only sends requested tickers and prompts to the remote AISA API and does not read local sensitive files. Note: the script also reads optional env vars AISA_BASE_URL and AISA_MODEL (not declared in SKILL.md).
- Install Mechanism
- noteThere is no install spec (instruction-only), which minimizes install-time risk. However the script header documents a dependency on the openai Python package (openai>=1.0.0) but SKILL.md does not declare or install that dependency — users must pip-install it themselves.
- Credentials
- noteThe only required credential is AISA_API_KEY (declared as primaryEnv), which is appropriate for a cloud API integration. The script also uses optional AISA_BASE_URL and AISA_MODEL environment variables that are not listed in requires.env — these are not dangerous but should be disclosed.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system-wide privileges or modify other skills' config. Autonomous invocation (default) is allowed but not combined with other concerning flags.