Skillv1.0.12

ClawScan security

Global Macro Database Assistant · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 17, 2026, 11:19 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, required environment variable, and instructions are coherent with its stated purpose (querying EastMoney macro data and producing CSVs); no unrelated credentials, unusual installs, or hidden endpoints were found.
Guidance: This skill appears to be what it says: it calls EastMoney's macro-data API and writes CSV+description files. Before installing, confirm the EM_API_KEY provenance and scope (can it be revoked, limited by rate/scopes), avoid placing the key in source or logs, and run it in an environment where writing CSV files is acceptable. Be aware the skill prints request bodies to stdout (which include queries) and will raise an error at import time if EM_API_KEY is not set. If you integrate this into an orchestrator, ensure it implements the described completeness/iteration protocol if you want the promised full-coverage behavior, and consider rate limits or costs for repeated queries.

Review Dimensions

Purpose & Capability: okName/description describe natural-language queries to an EastMoney macro-data API; the only required env var is EM_API_KEY which the code uses as an API key for requests to an eastmoney domain. Declared dependency (httpx) is appropriate for making HTTP requests.
Instruction Scope: noteSKILL.md and the script stay on-task: they describe building a request, calling the EastMoney endpoint, converting returned JSON into CSV and a description TXT, and require an orchestrator to perform completeness checks and iterative re-queries. Note: the skill mandates the orchestrator run a multi-stage verification/iteration protocol (gap detection and up to 5 retries) — this is a design decision (not an access/information escalation), but it may be surprising to integrators because it places additional correctness responsibilities on the caller. Also, the script prints the request body and URL to stdout (which will include the user query but does not include the EM_API_KEY in printed logs), and it raises a hard error at import time if EM_API_KEY is not set (this can cause the skill to fail to load if the variable is missing).
Install Mechanism: okNo download-from-URL installs. The metadata specifies installing a single Python dependency (httpx) which is proportional and expected for async HTTP calls. There is no archive extraction or external executable download.
Credentials: okOnly one environment variable is required (EM_API_KEY) and it is directly used as the API key for the described EastMoney service. No unrelated secrets or excessive environment access is requested.
Persistence & Privilege: okThe skill does not request always:true or other elevated persistence. It writes output files to a workspace/output directory (CSV and description files) which is expected for its function. It does not attempt to modify other skills' configs or system-wide settings.