Back to skill
Skillv1.0.0
ClawScan security
stock-dividend-zh · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 17, 2026, 3:35 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and required credential (AISA_API_KEY) are coherent with its stated purpose of querying the AISA service for dividend analysis; nothing strongly mismatches its description.
- Guidance
- This skill appears to do what it says: it sends ticker prompts to the AISA API using the provided AISA_API_KEY and returns analysis. Before installing, verify the AISA_BASE_URL (default https://api.aisa.one/v1) is the intended endpoint and treat AISA_API_KEY as a secret—anyone with it can use the AISA service. Expect to install the openai Python package (or ensure your environment already provides the client). If you want stricter guarantees, ask the publisher to (1) declare optional env vars AISA_BASE_URL and AISA_MODEL in the metadata and (2) add an install spec or dependency list so runtime dependencies are installed deterministically.
Review Dimensions
- Purpose & Capability
- okName and description describe using AISA to evaluate dividends; the code calls an AISA-compatible API client and requires AISA_API_KEY and python3, which are appropriate and expected.
- Instruction Scope
- noteSKILL.md tells the agent to run python3 scripts/dividends.py and set AISA_API_KEY only. The script also reads optional env vars AISA_BASE_URL and AISA_MODEL (not declared in requires.env) — minor mismatch but reasonable for configuration. The instructions do not attempt to read unrelated local secrets or system files.
- Install Mechanism
- noteThere is no install spec. The script comments list a dependency on the openai Python package but the skill does not install it automatically; this is operationally incomplete (not a direct security issue) and may cause runtime failures if the environment lacks the package.
- Credentials
- okOnly AISA_API_KEY is required and matches the declared primary credential. No unrelated credentials or sensitive system paths are requested. The presence of two optional env vars (AISA_BASE_URL, AISA_MODEL) in code but not in metadata is a small omission but not disproportionate.
- Persistence & Privilege
- okSkill is not always-enabled and does not request elevated or persistent platform privileges. It does not modify other skills or system-wide settings.