Skillv2.1.3

ClawScan security

Valu Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 19, 2026, 4:51 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and required resources are consistent with a stock valuation tool — no obvious misdirection, hidden endpoints, or unrelated credential requests were found.
Guidance: This skill appears coherent with its stated purpose, but review these before installing: 1) It expects to call DeepSeek (https://api.deepseek.com) for AI text — supply an API key only if you trust that provider. 2) The package has Python dependencies (akshare, baostock, pandas, requests) but no install script; install them in a controlled environment (virtualenv/container) before running. 3) The skill will create and write files (config.yaml, reports/, user_data/users.json, logs) in its directory — if you care about sensitive workspace data, run it in an isolated folder. 4) If you require stronger assurance, inspect the included Python files locally (they are readable) and/or run the code in a sandboxed environment. There are no signs of credential exfiltration or unrelated network endpoints, but always guard any API keys you provide.

Review Dimensions

Purpose & Capability: okThe name/description (DCF valuation for A-share/HK stocks) matches the code and SKILL.md: modules fetch market & financial data (AKShare/Baostock), run valuation logic, generate reports, and call an AI service (DeepSeek) for report generation. Data sources and pricing/quotas in code align with the documented functionality.
Instruction Scope: okSKILL.md and code limit activity to fetching market/financial data, performing analyses, calling the declared DeepSeek AI endpoint for text generation, and saving reports/logs. There are no instructions/code paths that read unrelated system files, scan the host, or send data to undeclared third-party endpoints.
Install Mechanism: noteThere is no install spec (instruction-only at registry level) which is low risk, but the package includes Python code that depends on third‑party libraries (akshare, baostock, pandas, requests, etc.). Those dependencies are not declared in the registry metadata or an install script; consumers must install them manually. This is an operational gap (not a security red flag) but worth noting before running.
Credentials: noteThe registry declares no required env vars, but the code loads DEEPSEEK_API_KEY (and supports other tokens in config). Requesting a DeepSeek API key is proportionate to its stated use (AI report generation). No unrelated secrets (AWS keys, system tokens) are requested. The skill reads/writes local config, log, user_data and report files — expected for this app.
Persistence & Privilege: okalways:false (not force-included). The code persists user data, usage history (user_data/users.json), logs, and reports in local directories under the skill — behavior consistent with a self-contained service. It does not attempt to modify other skills or system-wide agent settings.