Investment Daily Report
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears to match its stated purpose: it runs a Node.js script that queries a financial data provider and writes a Markdown market report.
This looks reasonable for generating market reports. Before installing, be aware that it executes a local Node.js script, sends market-data queries to an external NeoData endpoint through a localhost gateway, and writes a Markdown file to the current or specified output path.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill executes the bundled script on the user's machine and creates a report file.
The skill asks the user to run an included Node.js script. This is central to the stated report-generation purpose, but it is still local code execution.
node scripts/generate_report.cjs
Run it only if you are comfortable executing the included script, and choose output paths carefully.
The external data provider can receive the report's market-data query topics.
The script sends financial search queries through a local gateway to a remote NeoData endpoint. This is disclosed and purpose-aligned, and the code sends fixed market-query text rather than local files or credentials.
hostname: 'localhost', port: 19000, path: '/proxy/api', ... 'Remote-URL': 'https://jprx.m.qq.com/aizone/skillserver/v1/proxy/teamrouter_neodata/query'
Use the skill only when external financial-data queries are acceptable for your workflow.
Users may have less certainty that the registry metadata fully reflects the bundled code version.
The bundled script and changelog identify version 1.2.0, while registry metadata lists version 1.0.0 and the source/homepage are unknown. This is a provenance/versioning inconsistency, not evidence of malicious behavior.
// 投研日报生成器 v1.2.0
Review the included script before use and prefer a package with synchronized version metadata and a clear source repository.