Skillv1.0.0

ClawScan security

A Stock Watcher · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 7, 2026, 8:56 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and resource use are consistent with a stock-watcher (real-time quotes, alerts, reports, technical analysis); it requires no secrets and uses public finance APIs, but it will perform network calls and create local files (config/cache/charts).
Guidance: This skill appears coherent for a stock-watcher: it fetches market data from public Chinese finance APIs, computes technical indicators, creates reports and charts, and stores a local config/cache (stock_config.json, cache/, charts/). Before installing, note: (1) it will make outbound HTTP requests to eastmoney/tencent/sina — ensure that network egress is acceptable in your environment; (2) it writes files to the runtime directory (config, cache, charts) — review/contain where it runs if you care about file placement; (3) notification/push behavior (DingTalk) may require you to configure a webhook or credentials — inspect notification.py and the config before enabling push channels; (4) there is no automated installer, so the environment must have Python 3.x and the requests package. If you want extra assurance, review notification.py and any omitted files for any hardcoded webhooks or external endpoints before enabling the skill in an autonomous agent.

Review Dimensions

Purpose & Capability: okName/description (A 股盯盘、技术分析、报告、投顾) match the included Python modules and SKILL.md. All required network endpoints (eastmoney, tencent, sina) are consistent with obtaining market data; included modules (charting, historical data, auto-report, investment advisor) are proportionate to the stated functionality.
Instruction Scope: okSKILL.md describes user commands and notes dependencies (Python, requests). It does not instruct the agent to read unrelated system files or request secrets. The runtime code performs expected actions: HTTP requests to public finance APIs, local caching/config reads and writes, generating reports/charts, and background monitoring. No broad or unclear instructions that would grant the agent extra data collection beyond the stated purpose.
Install Mechanism: noteNo install spec provided (instruction-only at registry level) but the package includes Python code. The SKILL.md lists Python 3.x and requests; there is no automated installer. That is safe but means the runtime environment must have Python and requests available. No downloads from untrusted URLs or obscure installers were observed.
Credentials: okThe skill declares no required environment variables or primary credential. The code does not request AWS/other platform credentials. Default config contains a dingtalk_user_id string but no secret tokens were required by SKILL.md. Overall requested environment access is proportionate to functionality.
Persistence & Privilege: noteThe skill creates and uses local files: stock_config.json (config), cache/stock_cache.json (cache), and charts/ (images or placeholders). It reads/writes these in its package/runtime directory. 'always' is false and the skill does not attempt to modify other skills or system-wide settings. Users should expect local disk writes and consider where the agent will run.