Skillv1.1.0

ClawScan security

Technical Indicators · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 15, 2026, 1:34 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The package appears to implement the claimed technical-indicator and backtest functionality, but there are mismatches in dependency declarations, some documentation claims (回测/验收) appear inconsistent with included results, and some features (notifications, ML) imply external credentials or extra libraries that the SKILL.md does not request — review before installing or granting network/credential access.
Guidance: What to check before installing: - Review integration.py, ml_predictor.py and any modules that might call network endpoints for hardcoded URLs or credential use. The SKILL.md names AkShare and 东方财富 as data sources (both network-based); confirm you are comfortable with network access and that no secret will be uploaded unexpectedly. - The docs list notification push (Feishu, email) and reference a 'webchat' request channel — search the code for Feishu/SMTP/webhook usage and verify where credentials should be provided and how they’re stored (no env vars are declared now). - The SKILL.md only asks to pip install akshare pandas numpy, but the codebase and enhancement docs reference ML libraries (LSTM, LightGBM), scipy, or other tooling. Expect to install additional packages to use ML/optimizer features; run tests in an isolated environment first. - The acceptance/checklist items are partially inconsistent with included backtest results (backtest_result.json shows negative/poor metrics). Do not assume the skill meets the '回测胜率>55%' claim without validating on your own data. - Run the package in a sandboxed environment (or container/VM) first, inspect network traffic during operation, and confirm no unexpected outbound connections or attempts to read unrelated system files. If you plan to enable notification pushes, provide credentials only to trusted endpoints and follow least-privilege principles. If you want, I can: (1) scan the remaining omitted files for network calls, subprocess usage, or os.environ access; (2) list imports from all files to identify additional undeclared dependencies; or (3) point to specific lines to inspect for credential usage.

Review Dimensions

Purpose & Capability: okName/description (A 股技术指标、量价形态、共振分析、回测) align with the included code files (technical_indicators.py, resonance_analysis.py, backtester.py, candlestick_patterns.py, vwap.py, ichimoku_cloud.py, etc.). The codebase contains modules and tests consistent with the stated purpose; no unrelated cloud service credentials or unrelated binaries are requested.
Instruction Scope: noteSKILL.md runtime instructions are focused on computing indicators, resonance analysis and running backtests and instruct users to pip install akshare/pandas/numpy; it explicitly names data sources (AkShare, 东方财富 API). The instructions do not request reading unrelated system files or environment variables. However, the docs mention push/notification channels (飞书、邮件、声音提醒) and automated 'request channel: webchat' in DELIVERY_REPORT — the SKILL.md does not provide credential setup steps for those notification channels, so actual notification integrations (if implemented in integration.py or elsewhere) will require additional secrets or configuration not documented here.
Install Mechanism: noteNo formal install spec is provided in the registry (instruction-only), but SKILL.md recommends pip install akshare pandas numpy. This is a low-to-moderate risk pattern (pulling packages from PyPI). No arbitrary URL downloads or extract steps are present in the manifest. Potential risk: some modules (ML predictor, optimizer, tests) may require additional Python packages (e.g., scikit-learn, lightgbm, tensorflow/torch, scipy) that are not listed, so running all features may fail or prompt additional installs.
Credentials: concernThe skill declares no required environment variables or credentials, but some documented features imply needing external access/credentials: notification push (Feishu/email), market data sources beyond AkShare (东方财富 API), and any external news/龙虎榜/期权 data described in enhancement plan. The SKILL.md does not declare these environment variables or explain how secrets are handled. Also the ML/optimization components referenced in docs may require extra libraries/dependencies not declared. This mismatch (features that need creds/libs but no declared env) is a proportionality concern.
Persistence & Privilege: okThe skill is not marked always:true and does not request special persistence or elevated privileges. The included code appears to run as library modules; nothing in SKILL.md or the manifest requests to modify other skills or system-wide settings.