Back to skill
Skillv1.0.11
ClawScan security
All-Market Financial Data Hub · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 17, 2026, 11:19 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions match its stated purpose (querying EastMoney financial data); it only needs an EM_API_KEY, uses a reasonable EastMoney API endpoint, and installs ordinary Python packages.
- Guidance
- This skill appears coherent with its stated purpose, but take the usual precautions: only provide an EM_API_KEY you obtained from the official EastMoney service (https://ai.eastmoney.com/mxClaw), and verify its scope/expiration. Inspect scripts/get_data.py before running (you can grep for any unexpected network endpoints or file reads); run the first tests in an isolated environment or container to avoid accidental leakage. Do not paste the API key into prompts or logs; store it in environment variables as instructed. If you plan to use this in an organization, check licensing/compliance with EastMoney and confirm the key's allowed usage and rate limits.
Review Dimensions
- Purpose & Capability
- okName/description describe a data-query tool for EastMoney; the only required environment variable is EM_API_KEY (consistent with authenticating to EastMoney APIs). The included script targets an EastMoney ai-saas endpoint and formats results into XLSX/TXT as described.
- Instruction Scope
- okSKILL.md confines runtime actions to installing Python deps, setting EM_API_KEY, and running scripts/get_data.py. The README explicitly warns about not leaking the key and documents output files and a 5-entity query limit. Nothing in the provided instructions asks the agent to read unrelated system files or transmit data to unexpected endpoints.
- Install Mechanism
- okNo high-risk install (script is instruction-only and asks the user to pip install httpx, pandas, openpyxl). Dependencies are standard, from PyPI, and there are no arbitrary URL downloads or archive extraction in the manifest.
- Credentials
- okOnly EM_API_KEY is required and is justified by the description (EastMoney API key). There are no additional unrelated credentials, config paths, or broad environment requests declared.
- Persistence & Privilege
- okSkill is not force-included (always:false) and does not request elevated persistence. It writes outputs to a subdirectory of the current working directory (miaoxiang/mx_finance_data) as documented, which is appropriate for a data-export tool.