Skillv1.0.0

ClawScan security

Finance Data Fetcher · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 15, 2026, 1:34 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (fetching A‑share data via AkShare) is plausible, but the package is incomplete/inconsistent: SKILL.md and skill.json reference a skill_main module and exported functions that are not included, and there are small dependency mismatches — this incoherence should be resolved before trusting or installing anything.
Guidance: This skill claims to provide Python functions (fetch_stock_quote, etc.) but does not include the implementation (no skill_main.py). Before installing or using it, ask the publisher for the missing source or an official homepage/repo. Do not blindly pip install dependencies from an unknown package—verify the author and repository. If you decide to proceed: (1) obtain the code and review it for network endpoints and data exfiltration, (2) run installs and the code in a sandbox or virtual environment, (3) confirm dependency list matches the code (SKILL.md lists numpy but skill.json does not), and (4) verify licensing and that scraping/data usage complies with the data providers' terms. The current package is internally inconsistent; resolve those gaps to reduce risk.

Review Dimensions

Purpose & Capability: noteName and description match the declared dependencies and usage of AkShare and public Chinese finance sources — requesting no credentials is proportionate. However, skill.json declares a main module (skill_main.py) and exports functions, while no code files are present; the SKILL.md example imports from skill_main. That mismatch means the package does not actually provide the code necessary to fulfill its purpose.
Instruction Scope: concernSKILL.md instructs installing akshare/pandas/numpy/requests and shows example calls to fetch_stock_quote etc., but it relies on a local module (skill_main) that is not included. The instructions do not ask the agent to read unrelated files or secrets, but they assume an implementation that is missing — runtime behavior is therefore undefined and could lead to ad-hoc implementations with broader scope if the agent or user fills in the gap.
Install Mechanism: noteThere is no install spec (instruction-only), which is low-risk. But skill.json lists dependencies (akshare, pandas, requests) while SKILL.md's pip example also includes numpy — a small inconsistency. No external download URLs or installers are present.
Credentials: okThe skill requests no environment variables, credentials, or config paths. Given the stated data sources (AkShare, Sina, EastMoney) this is reasonable; no secret access is required by the provided instructions.
Persistence & Privilege: okalways is false and autonomous invocation is allowed by default. The skill does not request elevated persistence or system-wide changes and provides no installers that write files. No code is included that would persist on disk as part of the skill package.