Institutional Tracker Ai
ReviewAudited by ClawScan on May 10, 2026.
Overview
The stock-analysis purpose is coherent, but the skill under-discloses and over-reassures users about a Tushare proxy token that is sent to a configured external API endpoint.
Review this skill before installing. If you use it, configure only a trusted HTTPS Tushare/proxy endpoint, treat the token like a paid credential, inspect scripts/install.sh and config.py, and do not enable recurring WorkBuddy or WeChat push automation until you understand what will run and be sent.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A paid data token could be exposed to an untrusted proxy endpoint or over insecure transport if the user follows the example without caution.
The skill directs users to use a paid proxy token and proxy API URL, including an HTTP example, while the registry metadata says there is no primary credential. This leaves the credential scope, provider trust, and transport security under-defined.
闲鱼可购买代理版 Token(约38元/月)... 获取: Token 字符串 + 代理 API 地址 ... TUSHARE_API_URL = "http://你的代理地址"
Declare the Tushare token as a credential, require or strongly recommend HTTPS and trusted providers, and document exactly which endpoint receives the token.
Users may believe the token never leaves their machine, when it must be transmitted to the configured Tushare/proxy API for the skill to work.
This assurance is materially ambiguous because scripts/data_fetcher.py constructs requests containing the token and sends them to the configured TUSHARE_API_URL.
Token 保存在本地 config.py 中,不上传任何外部服务。
Reword the claim to say the token is stored locally but sent only to the user-configured Tushare/proxy API, and warn users to use trusted HTTPS endpoints.
If that local plugin is missing, altered, or untrusted, auxiliary data fetching may fail or execute code outside the reviewed skill.
The code references an external local plugin script outside this skill package. This appears purpose-aligned for auxiliary financial data, but it is an additional provenance and availability dependency.
NEODATA_SCRIPT = Path(os.path.expanduser("~/.workbuddy/plugins/marketplaces/cb_teams_marketplace/plugins/finance-data/skills/neodata-financial-search/scripts/query.py"))Declare NeoData as an optional dependency, document when it is used, and avoid executing external helper scripts unless the user has installed and trusted them.
If enabled, the scanner may keep running on a schedule and send report contents until the user disables the automation.
The skill suggests recurring scheduled scans and report pushing. This is disclosed and user-directed rather than automatic hidden persistence.
建议在 WorkBuddy 中创建自动化任务... 时间: 每个交易日 16:35 ... 推送: 通过微信推送报告摘要+HTML附件
Enable recurring tasks and WeChat pushing only after reviewing the reports and confirming what data will be sent.