Back to skill
Skillv1.0.0
ClawScan security
stock-diagnosis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 17, 2026, 11:19 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and environment requirements are consistent with a single-A-share diagnostic wrapper around Eastmoney's AI API and do not request unrelated credentials or perform unexpected actions.
- Guidance
- This skill is coherent with its description, but before installing: (1) verify the EM_API_KEY you receive is from Eastmoney and has appropriate scope/expiration; (2) avoid pasting the key into chat logs and rotate it if exposed; (3) be aware the script will create and write .md files under a miaoxiang/stock_diagnosis directory by default—use the --no-save option or change output_dir if you don't want files written; (4) test with non-sensitive queries first and confirm the returned Markdown comes directly from the API as intended.
Review Dimensions
- Purpose & Capability
- okName/description (single A-share diagnostic) match the included script and SKILL.md. The skill requires one env var (EM_API_KEY) which the code uses as an API key when calling an Eastmoney ai-saas endpoint; no unrelated services, binaries, or config paths are requested.
- Instruction Scope
- okSKILL.md instructs the agent to call the provided script or function, pass the user's natural-language question, and prefer the API-provided Markdown output. The runtime code only reads EM_API_KEY, performs an HTTP POST to the documented Eastmoney endpoint, and optionally writes the returned Markdown to a local file. It does not read other system files or additional environment variables.
- Install Mechanism
- okThere is no install spec; the skill is instruction-only with a small included Python script that relies only on the standard library. No external downloads, packages, or extracted archives are performed.
- Credentials
- okOnly EM_API_KEY is required and used. The key is sent in an HTTP header to ai-saas.eastmoney.com, which matches the claimed provider (Eastmoney). No additional secrets or unrelated credentials are requested.
- Persistence & Privilege
- okalways is false (no forced inclusion). The skill writes Markdown output to a local directory (miaoxiang/stock_diagnosis by default) when save_to_file is enabled, which is documented in SKILL.md. It does not modify other skills or system-wide configurations.