Skillv1.0.0

ClawScan security

Akshare Router Cn · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 7, 2026, 1:47 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are coherent with its stated purpose (routing AKShare data for Chinese futures/options); it requires no secrets or special privileges, but you should ensure the Python dependencies are present and be aware the scripts make network requests to public data sources.
Guidance: This skill appears to do what it claims: route user intent to AKShare-based recipes and run small Python scripts that fetch and compute market data. Before installing, ensure your agent environment has Python with akshare and pandas available (the package is not installed by the skill). Understand that the scripts will make network requests to public data sources (Sina, Eastmoney via AKShare) and may fetch many contracts (which can be rate-limited or slow). If you don't trust the code, review the provided scripts (they are short and readable) before allowing the agent to execute them. If you plan to allow autonomous invocation, be aware the agent could run these scripts and issue network requests without prompting, so grant that capability only to agents you trust.

Review Dimensions

Purpose & Capability: okName/description (AKShare router for CN futures/options) align with the included files and runtime behaviour: the repository contains recipes, routing maps, method docs, and Python scripts that call AKShare functions to fetch and post-process market data. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope: okSKILL.md limits actions to reading the included maps/recipes/methods and running the provided scripts. The scripts only access AKShare APIs and local files in the skill; they do not read arbitrary system files or environment variables, nor do they post data to unexpected external endpoints beyond the public data sources AKShare uses.
Install Mechanism: noteThere is no install spec; this is instruction-only. The Python scripts import third-party packages (akshare, pandas) but the skill does not declare or install them. This is not malicious but means the runtime must already provide those dependencies; failing to do so will break execution. No downloads from untrusted URLs or archive extraction are present.
Credentials: okThe skill declares no required environment variables, credentials, or config paths and the code does not access secrets. All network access is to public market-data sources via akshare, which is appropriate for the stated functionality.
Persistence & Privilege: okFlags show no forced persistence (always:false) and the skill does not request elevated privileges or modify other skills' configs. Autonomous invocation is allowed by platform default but this skill's scope and resource needs are limited.