AI Risk Assessment
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears purpose-aligned and non-malicious, with only user-noticeable issues around unpinned dependencies, external market-data access, and an advertised stress-test capability that is not implemented.
This skill looks safe to review/install for calculation purposes, but use a virtual environment, consider pinning dependencies, remember that market data comes from an external provider, and verify the outputs yourself before making financial decisions.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the dependencies will bring third-party package code into the user's Python environment.
The skill asks users to install third-party Python packages without version pins. This is expected for the market-data and numerical-calculation purpose, but package versions and provenance are left to the package index.
pip install akshare pandas numpy scipy
Install in a virtual environment and consider pinning or reviewing dependency versions before use.
The stock symbols queried may be sent to or resolved through the external market-data provider, and results depend on that provider's data quality.
The VaR calculation retrieves market data through AkShare using the supplied stock code. This is purpose-aligned, but it is an external data-provider call.
df = ak.stock_zh_a_hist(symbol=code, period="daily", adjust="qfq")
Use only symbols you are comfortable querying externally and independently verify important financial results.
Users may expect stress-testing functionality that is unavailable or may fail if called.
The manifest exports a `stress_test` function, and SKILL.md advertises stress testing, but the provided source does not implement a `stress_test` function. This is a capability mismatch rather than evidence of malicious behavior.
"exports": ["calculate_var", "stress_test", "position_suggestion"]
Verify the implemented functions before relying on the skill, especially for investment or risk-management decisions.