v1.0.0

财政数据采集分析

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:27 AM.

Analysis

This skill coherently collects public Ministry of Finance fiscal data and writes local analysis files; the notable risks are ordinary Python execution, unpinned dependencies, network fetching, and cache reuse.

GuidanceBefore installing, treat this as a normal Python data pipeline: run it in an isolated environment, expect outbound access to the disclosed Ministry of Finance website, choose a safe output directory such as the workspace output folder, and clear cached outputs when you need a fresh trusted collection.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution

SeverityInfoConfidenceHighStatusNote

SKILL.md

python3 $SKILL_DIR/FinancialDataCollection/scripts/run_pipeline.py

The skill instructs use of a bundled Python pipeline. This is disclosed and central to the data collection purpose, but users should know installation involves running local code.

User impactRunning the skill executes local Python code that fetches data and creates output files.

RecommendationRun it only when you intend to collect/analyze fiscal data, and use the documented month-range and output-directory options to keep execution scoped.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

FinancialDataCollection/environment.yml

pip:
      - requests
      - beautifulsoup4
      - lxml
      - openpyxl

The conda environment installs unpinned Python packages. These dependencies are expected for crawling/parsing/exporting, but unpinned versions can change over time.

User impactFuture installs may pull newer dependency versions than the author tested.

RecommendationIf reproducibility matters, pin dependency versions or install in an isolated environment.

Tool Misuse and Exploitation

SeverityInfoConfidenceHighStatusNote

FinancialDataCollection/src/fiscal_crawler.py

BASE_URL = "https://www.mof.gov.cn/gkml/caizhengshuju/" ... response = self.session.get(url, timeout=self.timeout)

The crawler performs network requests to the disclosed official data source. This is expected for the skill's purpose and not evidence of hidden exfiltration.

User impactUsing the skill will contact the Ministry of Finance website to retrieve public pages.

RecommendationUse this only in an environment where outbound access to the disclosed public website is acceptable.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

FinancialDataCollection/README.md

若区间文件夹已存在且 `extracted_metrics.xlsx` 数据行数不少于 `40` 条，则直接复用，不重新抓取

The pipeline reuses local cached Excel outputs based mainly on row count. This is disclosed caching behavior, but stale or manually altered cache files could affect later analysis.

User impactOld or modified cached files may influence generated summaries and conclusions.

RecommendationFor high-confidence results, clear the relevant output cache or force a fresh run before relying on the analysis.