Skillv1.0.2

ClawScan security

Stocktorch · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 31, 2026, 3:37 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's description promises a runnable stock analysis system, but the package only contains an instruction document that tells the agent to run local Python scripts and read many files that are not included — the requested actions and the actual bundle do not line up.
Guidance: This package is just an instruction file (SKILL.md) that describes a full Python-based stock analyzer but does not include any code, docs, or installers. Before installing or enabling it: 1) Ask the publisher for source code or a homepage and verify the run_skill.py and docs referenced in SKILL.md. 2) If you allow the agent to run this skill, restrict its filesystem and execution permissions (run in a sandbox) because the instructions will try to execute python3 scripts and read/write local files if they exist. 3) If you find run_skill.py from an external repo, audit that code before granting the agent permission to execute it. 4) Avoid enabling the skill on systems with sensitive data unless you can confirm exactly which files and network endpoints the skill will access.

Review Dimensions

Purpose & Capability: concernThe SKILL.md describes a full A‑share analysis tool that runs python3 run_skill.py, reads docs/, and writes reports/, yet the skill bundle contains only SKILL.md and no code, docs, or binaries. The declared requirements list no binaries or env vars, but the instructions implicitly require python3 and a browser interface (browser_use). This mismatch is incoherent: either the skill is a thin operator that expects external project files, or it's misleading about providing runnable functionality.
Instruction Scope: concernRuntime instructions direct the agent to perform web searches (browser_use), extract stock codes, run local commands (python3 run_skill.py ...), read many local documents (docs/*.md, report/读财报.md) and save reports to reports/. Those files are not present in the package; following these instructions could cause the agent to search the user's file system or execute arbitrary local Python scripts if they exist. The instructions also assert timing ('0.5秒获取18年数据') and strict document-read rules which give the agent broad discretion to access system files and browser results beyond the skill's stated scope.
Install Mechanism: okThere is no install spec (instruction-only). That reduces supply-chain risk because nothing is downloaded or written by an installer. However, the lack of delivered code means the instructions are placeholders that rely on external code being present on the host — a separate risk vector.
Credentials: noteThe skill requests no environment variables or credentials, which is proportionate. But it nevertheless instructs reading and writing local files and executing python3 commands: those behaviors require filesystem and execution privileges that are not declared. The absence of declared env/credentials is not sufficient reassurance because the skill could cause the agent to access local data or invoke local programs.
Persistence & Privilege: okalways is false and the skill does not request persistent installation. Autonomous invocation is allowed (platform default). That alone is not a red flag, but combined with the instruction to execute local scripts it increases the potential impact if the agent is permitted to run code on the host.