ClawHub
Back to skill
v1.1.2

AkShare Analysis

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:39 AM.

Analysis

The stock-analysis purpose is coherent, but the HTML report generator embeds unescaped report and AI text that could run unwanted browser code if that content is malicious.

GuidanceUse this skill only if you are comfortable running `uv` with external Python packages. If you generate HTML reports, avoid opening or sharing reports built from untrusted report directories or AI/news text until the renderer escapes or sanitizes dynamic content. Treat the BUY/HOLD/SELL output as informational, not financial advice.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution
SeverityMediumConfidenceHighStatusConcern
scripts/render_report.py
ai_analysis = d.get("ai_analysis")
ai_section = f'<div class="ai-box"><h3>AI 综合分析</h3>{ai_analysis}</div>' if ai_analysis else ""

Report content from data.json is interpolated directly into HTML without escaping or sanitization, so malicious HTML/JavaScript in report data could execute when the user opens the generated report.

User impactA report generated from manipulated or untrusted content could run unwanted JavaScript in the user's browser when opened.
RecommendationEscape all dynamic HTML fields, sanitize Markdown before rendering, and treat news/AI analysis text as plain text unless explicitly trusted.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
scripts/analyze.py
# dependencies = [
#     "akshare>=1.0.0",
#     "pandas>=2.0.0",
#     "mplfinance>=0.12.0",
# ]

The documented `uv run` workflow can resolve and execute external Python packages using lower-bound version ranges rather than a pinned lockfile.

User impactRunning the skill may download package versions that were not part of the reviewed artifacts.
RecommendationPin dependency versions or provide a lockfile, and ensure the registry metadata clearly declares the `uv` runtime requirement.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
scripts/render_report.py
<script src="https://unpkg.com/lightweight-charts@4.2.0/dist/lightweight-charts.standalone.production.js"></script>

Generated reports load a charting library from an external CDN when opened, which is purpose-aligned for chart rendering but means the report is not fully self-contained and executes third-party browser code.

User impactOpening a generated report may contact a third-party CDN and run JavaScript outside the reviewed skill files.
RecommendationBundle the chart library locally or add subresource integrity and clearly disclose that reports load remote JavaScript.