ClawHub
Back to skill
v1.0.2

A股每日复盘视频生成

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:24 AM.

Analysis

This is a coherent A-share recap video generator; the main things to review are its dependency installer, external asset downloads, and branded promotional slide content.

GuidanceBefore installing, be comfortable running the setup script and downloading assets/dependencies from external sources. Use a virtual environment if possible, verify the generated market analysis before publishing, and preview the slides so the financial wording and promotional page match your intent.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
scripts/setup.sh
pip3 install pillow || pip install pillow ... pip3 install fonttools brotli || pip install fonttools brotli ... skillhub install ftshare-market-data ... skillhub install newsnow-reader

The setup script installs Python packages and additional skills from external package/skill sources. This is disclosed and purpose-aligned, but it changes the local environment and is not represented in the registry install spec.

User impactRunning the setup script can install packages and dependency skills on the user's machine.
RecommendationReview setup.sh before running it, prefer a virtual environment for Python packages, and install dependency skills only from sources you trust.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
scripts/ensure_assets.py
https://cdn.jsdelivr.net/fontsource/fonts/noto-sans-sc@latest/...; https://github.com/eddiexux/astock-video-report-assets/releases/download/v1.0.0/...; subprocess.check_call([sys.executable, '-m', 'pip', 'install', 'fonttools', 'brotli', '-q'])

The asset helper can download fonts/BGM from CDN/GitHub and may install font conversion dependencies at runtime. These downloads are expected for video generation, but the CDN URL uses @latest and no checksum verification is shown.

User impactFirst use may fetch external files and packages, so output generation depends on third-party asset/package availability and integrity.
RecommendationIf supply-chain control matters, preinstall dependencies, pin versions, verify downloaded assets, or place reviewed assets in the assets directory manually.
Human-Agent Trust Exploitation
SeverityInfoConfidenceHighStatusNote
SKILL.md
6. Skill 安装方法(推广页:展示非凸全套 4 个 ftshare 数据包,非本 skill 的硬依赖)

The generated video intentionally includes a promotional installation slide for additional data skills that are not hard dependencies. This is disclosed, but it affects what the user may publish.

User impactPublished videos may advertise extra skills or installation commands beyond the direct recap-video function.
RecommendationPreview the seven slides before video synthesis and remove or edit the promotional slide if it is not appropriate for your audience.