Skillv1.0.0

ClawScan security

守拙 — 中国基金经理心智模型 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 15, 2026, 3:08 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only persona for value-oriented China equity investing; its requested footprint (no installs, no env vars, no external endpoints) matches its stated purpose and contains no incoherent or disproportionate requirements.
Guidance: This skill is internally coherent: it simply instructs the agent to act as a conservative Chinese value-investing persona and includes decision checklists. Before installing, consider: (1) provenance — source is unknown, so verify the author if you need attribution or legal certainty; (2) financial risk — outputs are investment guidance, not guarantees; treat it as a decision-support tool and validate with your own research or a licensed advisor; (3) data sources — the skill doesn't fetch market data itself, so ensure the agent has access to reliable prices/financials if you expect up-to-date analysis; (4) privacy — although this skill doesn't request credentials, avoid pasting sensitive account credentials into prompts. If you want the skill to automatically fetch market data later, require that any added code or configuration be reviewed for network endpoints and credentials first.

Purpose & Capability: okName/description (a Chinese value-investing mental model) align with the content of SKILL.md. The skill is instruction-only and does not request credentials, binaries, or access inconsistent with financial-analysis persona behavior.
Instruction Scope: okRuntime instructions are limited to adopting an investment persona, applying specific heuristics and checklists, and answering queries about A-share/HK investments. The SKILL.md does not instruct reading local files, using environment variables, or sending data to external endpoints, nor does it grant broad discretionary data collection.
Install Mechanism: okNo install specification or code files are included; this is the lowest-risk model (instruction-only). Nothing will be written to disk or downloaded as part of installation.
Credentials: okThe skill requires no environment variables, credentials, or config paths. There are no unexplained secret requests or cross-service credentials that would be disproportionate to the stated purpose.
Persistence & Privilege: okalways is false (default) and disable-model-invocation is false (normal). The skill does not request persistent system-wide changes or access to other skills' configuration. Autonomous invocation is allowed by default but not combined with other concerning privileges.