Stock/Industry Tracker
Security checks across malware telemetry and agentic risk
Overview
This is a coherent Eastmoney report generator that uses an API key, sends the user's query to a remote report service, and saves returned PDF/DOCX files locally, with no hidden or destructive behavior evident.
Install this skill if you are comfortable sending stock or industry report prompts to the Eastmoney-backed API and saving returned report files locally. Keep EM_API_KEY private, avoid including unrelated sensitive information in prompts, and verify generated reports, links, and attachments before making decisions or sharing them.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with access to the API key may be able to use the associated Eastmoney report service or consume its quota.
The script authenticates to the remote report service using an environment-provided API key. This is disclosed and purpose-aligned, but the key is still a sensitive credential.
API_KEY = os.environ.get("EM_API_KEY", "") ... "em_api_key": API_KEYStore EM_API_KEY securely, use a scoped or revocable key if available, and avoid sharing logs or environments that may expose it.
Any private details included in the report request may be received and processed by the external provider.
The user's raw query is sent to a remote Eastmoney API. This is central to the skill's purpose and disclosed in SKILL.md as a remote report service call.
API_URL = "https://ai-saas.eastmoney.com/proxy/app-robo-advisor-api/assistant/write/tracking/report" ... req_body = json.dumps({"query": query}, ensure_ascii=False).encode("utf-8")Use the skill for intended stock or industry report prompts and avoid putting unrelated personal, confidential, or account-sensitive information in the query.
Report files will be created on the local filesystem and may persist after the session.
The script decodes provider-returned PDF/DOCX base64 data and writes the attachments to a local output directory. Filenames are sanitized and no automatic execution is shown.
DEFAULT_OUTPUT_DIR = Path.cwd() / "miaoxiang" / SKILL_SLUG ... with open(file_path, "wb") as f: f.write(raw)
Check the output directory if disk location matters, and treat downloaded PDF/DOCX attachments as external documents before opening or sharing them.
The final answer may closely mirror the remote service's report text, message, and share link rather than an independently verified analysis.
The skill intentionally makes the script/API response authoritative for final content and error messages. This is expected for the integration, but users should recognize that the report text is provider-supplied.
如果接口返回的 `content` 字段有相关行业报告信息,则原文透传 ... 模型必须输出该 `message`,不得省略、不得改写、不得替换为其他话术。
Verify important financial claims, links, and attachments before relying on them or forwarding them to others.