Back to skill
Skillv1.0.0
ClawScan security
AI Stock Research Team · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 8:40 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and install steps are consistent with a local Python-based MCP data provider for stock research; it installs a venv, registers an MCP server, and uses akshare/yfinance to fetch market data — nothing in the bundle contradicts the declared purpose.
- Guidance
- This skill appears to do what it says: it installs a Python virtual environment, pip-installs mcp/akshare/yfinance, and registers a local MCP server by writing to ~/.openclaw/openclaw.json or ~/.workbuddy/mcp.json. Before installing: (1) review scripts/setup.sh and scripts/server.py yourself (they will create ~/.openclaw entries and a .venv under the skill folder), (2) be aware pip will download third‑party packages (akshare/yfinance/mcp) — ensure you trust those packages and have a network connection, (3) consider running the setup in an isolated environment or VM if you want to limit impact, and (4) the uninstall.sh will remove the .venv and try to remove MCP entries but you should verify config changes after uninstall. If you want higher assurance, inspect server.py for any remote callbacks or unexpected network calls (the included code calls akshare and yfinance only).
Review Dimensions
- Purpose & Capability
- okName/description promise (multi-role stock research) matches the included assets: SKILL.md, a Python MCP server (server.py) and scripts to create a venv and install akshare/yfinance. Requiring python3 is appropriate and expected.
- Instruction Scope
- noteSKILL.md instructs the user to run scripts/setup.sh to install dependencies and register an MCP server, and the runtime guidance restricts data sources to MCP tools (akshare/yfinance). The setup script will write to user MCP config files (openclaw.json or WorkBuddy mcp.json) to register the server — this is within purpose but is a privileged filesystem change the user should expect.
- Install Mechanism
- noteNo registry install spec is provided; installation is performed by the included setup.sh which creates a Python virtualenv and pip-installs mcp, akshare, yfinance from PyPI. This is a common pattern but has moderate risk because it downloads and installs third‑party packages and writes files into the user's home directory.
- Credentials
- okThe skill declares no required environment variables or credentials. The dependencies and the files it modifies (virtualenv and MCP config) are proportional to running a local MCP server that fetches market data.
- Persistence & Privilege
- noteThe setup registers a local MCP server by adding entries to OpenClaw/WorkBuddy config (or instructing manual registration). That gives the skill a persistent local service that can be invoked by the agent via MCP — expected for this functionality but the user should know a background server process will be installed and callable by the agent.