ROIC 核心穿透分析工具
ReviewAudited by ClawScan on May 10, 2026.
Overview
The ROIC calculation pieces look purpose-aligned, but the package also contains unrelated QQ bot setup and dependency instructions that ask for account access and a bot WebSocket.
Treat this skill as needing review before installation. The ROIC-specific script behavior appears coherent, but do not run the QQ bot setup, do not log in to QQ, and do not install the provided requirements.txt unless the publisher removes or justifies the unrelated bot components.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user installs the provided requirements, they may install an unrelated bot stack that expands local attack surface and does not appear necessary for ROIC calculations.
These dependencies support a QQ/OneBot bot framework, not the stated ROIC financial-analysis tool. Their presence creates an unexpected dependency/provenance mismatch.
nonebot2[all]>=2.3.0 nonebot-adapter-onebot>=2.4.0 nonebot-plugin-apscheduler>=0.3.0
Do not install the included requirements until the publisher removes unrelated bot dependencies or explains why they are needed; use only reviewed ROIC-specific dependencies.
Following these instructions could give a bot framework access to a personal QQ account and privileged bot controls for no clear ROIC-related reason.
The README asks the user to log in to a QQ account and configure a bot superuser, which is unrelated to the ROIC skill and is not declared as a needed credential.
登录你的 QQ 账号 ... SUPERUSERS = [你的QQ号]
Do not log in to QQ or configure bot superuser privileges for this ROIC skill unless the package is corrected and the bot purpose is explicitly reviewed.
If enabled, a local bot bridge may process chat messages or commands outside the financial-analysis task boundary.
The README configures a local OneBot WebSocket bridge, an agent/bot communication channel with unclear permissions and no relation to the ROIC workflow.
ONEBOT_WS_URLS = ["ws://127.0.0.1:3001"]
Avoid starting the NapCat/OneBot WebSocket setup for this skill; if used separately, audit its plugins, permissions, and local access controls.
The agent may run included Python code and make network calls to gather financial data when asked for ROIC analysis.
The skill is designed to run a local Python script through Bash and fetch financial data. This is purpose-aligned, but it is still local code execution.
allowed-tools: Read Write Edit WebFetch Bash ... python3 roic_calc.py <股票代码> <年份>
Review the script before running it, run it in a normal user account rather than with elevated privileges, and avoid installing unrelated requirements.