Skillv1.3.0

ClawScan security

Select Super Stock · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 20, 2026, 4:13 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (a stock screener using AKShare) matches the code, but there are several coherence and reliability issues (missing referenced files, absent install instructions for required Python packages, and a wrapper that tries to run a non-existent script) that make it risky or likely to fail if installed without review.
Guidance: This package appears to implement the advertised stock-screener logic, but it has a number of practical/incoherent issues you should resolve before running it: - Missing helper files: the wrapper (scripts/run_with_cache.py) expects a script named stock_analyzer_orig.py and imports cache_utils from a _shared directory; those files/directories are not present in the manifest. Confirm where cache_utils and the original analyzer are supposed to come from. - Dependency management: the code requires Python packages (akshare, pandas). The skill provides no install instructions. Install dependencies in a controlled environment (virtualenv) using: pip install akshare pandas (and any other dependencies) and verify versions first. - Subprocess execution: run_with_cache uses subprocess.run to invoke another local script. If you add or rename files to satisfy the wrapper, verify the invoked script's content before running — subprocess will execute code on your machine. - Network access: AKShare fetches market data from external sources. Only install/run this in an environment where network access is acceptable and you trust the data sources. - Shebang/path assumptions: scripts use a Homebrew Python shebang path which may not exist on your system; run them with your python3 executable explicitly (e.g., python3 scripts/stock_analyzer.py --symbol 600938 --full). Recommended next steps before using: inspect/cache_utils (if provided elsewhere) and resolve the missing stock_analyzer_orig.py vs stock_analyzer.py mismatch; run the scripts in an isolated test environment (container or VM); review all script contents; and only then install dependencies and run. If you are not comfortable resolving these issues, treat this package as untrusted/unready.

Review Dimensions

Purpose & Capability: noteThe name/description (stock screener for A/H/US stocks) aligns with the included code: the scripts call AKShare, compute technical/fundamental indicators, and produce reports. Forcing AKShare as the data source is coherent with the stated goal.
Instruction Scope: concernSKILL.md instructs running the provided Python analyzer and the scripts do what they claim (fetch market data, compute indicators, produce recommendations). However, the runtime instructions rely on local scripts and a cache helper (cache_utils) that are not present in the manifest, and the wrapper script prints and executes another script name (stock_analyzer_orig.py) that doesn't exist in the file listing — this is an inconsistency that could cause unexpected failures or arbitrary subprocess execution if the environment contains different files.
Install Mechanism: concernThere is no install spec. The code depends on third-party Python packages (akshare, pandas) but does not provide installation steps; scripts assume a particular Python path in the shebang (/home/linuxbrew/...) which may not exist. Missing install guidance makes correct setup fragile and could lead users to run commands inappropriately to satisfy dependencies.
Credentials: okThe skill requests no environment variables, credentials, or config paths. Its network access (AKShare) is proportional to the stated purpose of fetching market data. No secrets are requested or required by the code.
Persistence & Privilege: okalways is false and there is no indication the skill tries to persist itself into agent/system configuration or modify other skills. It caches report data under the script directory (.cache), which is local and expected for a caching helper.