Skillv1.0.0

ClawScan security

ST股票分析 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 13, 2026, 9:31 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: Skill's instructions and requirements are coherent with its stated purpose (ST/*ST stock analysis); main issues are a Windows-only save path and explicit instructions to fetch/scrape multiple external finance sites which the user should confirm are acceptable and that the agent may write files locally.
Guidance: This skill appears to do what it says: collect public data from finance sites, cross-check sources, analyze ST stocks, and produce a PDF report. Before installing, consider: 1) The SKILL.md requires web scraping of sites like 同花顺/东方财富/雪球/大智慧 — verify that scraping these sites is permitted under their terms and that the agent's web tools will handle rate limits/logins appropriately. 2) The skill mandates saving the PDF to D:\Downloads\ (Windows path) but the skill has no OS restriction — confirm the target environment and, if needed, request or configure an alternative save path. 3) Although no credentials are requested, the agent will access external web pages; ensure no private session cookies or credentials are exposed to the skill's web tools. 4) The analysis is explicitly for informational purposes and not investment advice; you should still verify outputs and data sources. If you plan to use this skill, consider providing a preferred, platform-appropriate output path and confirming acceptable data sources and scraping policy.

Review Dimensions

Purpose & Capability: okName and description match the instructions: the SKILL.md tells the agent to collect data from financial platforms, cross-validate, run multi-dimension analysis and produce a report — all consistent with an ST-stock analyst skill. No unrelated credentials, binaries, or installs are requested.
Instruction Scope: noteInstructions remain within analysis scope (financial, restructuring, technical and sentiment checks) and require using web_search/web_fetch/browser to collect public data from specific finance sites. Notable instruction: always perform multi-platform cross-validation (at least two sources). The SKILL.md also mandates saving the report as a PDF to a specific local path (D:\Downloads\...) which is an OS-specific filesystem write outside pure analysis and should be acknowledged by the user.
Install Mechanism: okInstruction-only skill with no install spec and no code files — minimal installation risk.
Credentials: noteThe skill requests no environment variables or credentials, which is appropriate. However, it does instruct the agent to access and scrape multiple external finance websites and to write a PDF to a local Windows path; these imply network access and local filesystem write permissions but do not require secrets. Confirm that scraping these sites is allowed and that the agent should have permission to write to the specified directory.
Persistence & Privilege: notealways:false and no autonomous privilege escalation are fine. The only persistence-like behavior is writing a PDF to D:\Downloads\ — this is not a permanent installation but is a filesystem write and is OS-specific; the skill does not request ongoing background presence or modify other skills.