Skillv1.0.0

ClawScan security

Wyckoff Stock Diagnosis (A股诊股工具) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 8, 2026, 5:51 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to do exactly what it says (A‑share technical/Wyckoff analysis using efinance) and does not request credentials or system privileges, but the bundled script shows signs of sloppy/incomplete code and there is no install spec — review before running.
Guidance: This skill is coherent with its description and does not ask for secrets, but review & test before use: 1) Inspect and (if necessary) fix the bundled script — the provided file appears to contain an incomplete/typo line that may crash execution. 2) Install efinance in a sandboxed/python virtualenv before running; efinance will make network requests to fetch market data. 3) Validate outputs on known tickers (and with historical backtests) — analytics code can contain logic bugs or edge cases. 4) Do not treat results as investment advice. If you want higher confidence, ask the author for a clean, complete source or run the script in an isolated environment and review network traffic to confirm only expected endpoints are contacted.

Purpose & Capability: okName/description match the implementation: the script fetches A‑share K‑line data via the efinance library and computes moving averages, volume/Weis Wave/volume‑profile analyses and Wyckoff-related heuristics. The declared dependency (efinance) is appropriate for the task.
Instruction Scope: noteSKILL.md instructions and the script stay within stock analysis (fetch data, compute indicators, produce JSON report). The instructions do not ask the agent to read unrelated system files or environment variables. Note: the provided script content in the package appears truncated/contains a coding error (a partial line 'if val_touche...' / variable name typo) that could cause runtime exceptions.
Install Mechanism: okNo install spec (instruction-only) and no arbitrary downloads — the script depends on the public pip package 'efinance'. That is a low to moderate risk (you must pip install a third‑party package). No unusual install behavior or remote code fetches embedded in the skill itself.
Credentials: okThe skill requests no environment variables, no credentials, and requires only network access to fetch market data via efinance — this is proportional to its stated purpose.
Persistence & Privilege: okSkill is not always: true and does not request elevated privileges or modify other skills. It does not persist credentials or alter system/agent configuration.