Back to skill
Skillv1.0.0
ClawScan security
stock-portfolio-zh · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 17, 2026, 6:21 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, declared requirements, and runtime instructions are internally consistent with its stated purpose of managing portfolios and fetching live prices via AISA; a few implementation notes (missing dependency install and an overridable API base URL) warrant attention but do not indicate misdirection.
- Guidance
- This skill appears to do what it says: local portfolio storage and live pricing via AISA. Before installing, verify you trust the AISA endpoint and the author/source (the _meta.json points to a GitHub repo). Ensure the runtime environment has Python 3 and the Python 'openai' package (the script depends on it). Be cautious about the AISA_BASE_URL env var — if set it will redirect API calls (including your AISA_API_KEY and tickers) to that host; do not set it to an untrusted server. Understand that the script asks a model to return live prices (not a dedicated market-data API), so verify price accuracy if you rely on this for trading decisions. If you want stricter security, run the script in an isolated environment and avoid placing any unrelated secrets in the same environment.
Review Dimensions
- Purpose & Capability
- okName/description claim live pricing via AISA and portfolio management. The bundle requires python3 and AISA_API_KEY and includes a Python script that stores local state under ./.clawdbot/skills/stock-analysis and calls AISA (via an OpenAI-compatible client) to get prices — all of which align with the stated purpose.
- Instruction Scope
- noteSKILL.md instructs running the included Python client and documents the local state path. The runtime script sends ticker symbols to the AISA API (via the OpenAI client) and expects JSON back. This means portfolio tickers and quantities are transmitted to the remote AISA endpoint — consistent with fetching live prices but worth noting because it's networked I/O (and relies on the remote model to return truthful numeric prices).
- Install Mechanism
- noteThere is no install spec (instruction-only), which is low-risk from an installer perspective. However, the script depends on the Python 'openai' package (commented in the file) but the skill metadata and SKILL.md do not declare or provide installation for that dependency — users must ensure the runtime environment has the required Python package(s).
- Credentials
- concernThe skill requires a single credential (AISA_API_KEY), which is appropriate. However, the code also reads optional env vars not listed as required: CLAWDBOT_STATE_DIR (documented in SKILL.md), AISA_BASE_URL, and AISA_MODEL. AISA_BASE_URL can redirect requests to an arbitrary endpoint, causing the API key and tickers to be sent to that host; users should ensure this variable is not set to an untrusted value.
- Persistence & Privilege
- okalways:false and user-invocable:true. The skill only writes its own local state file under the repository/path described and does not modify other skills or system-wide settings. No elevated persistence privileges are requested.