国泰海通证券-灵犀市场热榜查询
ReviewAudited by ClawScan on May 10, 2026.
Overview
This market-ranking skill appears aligned with its stated brokerage-data purpose, but it asks for and stores an API key while making an official-status claim that is not backed by the registry metadata.
Review this skill before installing. Its market-ranking function appears coherent, but verify that the publisher is truly official before providing a GuoTai HaiTong API key, and be aware that the key is saved in a shared local file and used by bundled Node code.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or using the skill may cause your brokerage API key to be saved locally and reused for authenticated requests.
The skill requires an API key before market-data calls and stores it in a shared local file outside the skill directory, while registry metadata says there is no primary credential or required config path.
必须先确认 `gtht-entry.json` 文件是否存在;不存在则必须先跑 `node skill-entry.js authChecker auth --channel` ... 保存到 `../gtht-skill-shared/gtht-entry.json`
Only authorize if you trust the publisher and understand what the API key can access; use a limited/revocable key if available and remove the shared key file when no longer needed.
A user may be more willing to provide a sensitive API key because the skill says it is official, even though the provided metadata does not verify that claim.
The skill claims to be an official GuoTai HaiTong skill, but the registry metadata shows source unknown and no homepage. Because the skill asks for an API key, this unsupported authority claim materially affects user trust.
身份声明: 本 Skill 是"国泰海通 (GuoTai HaiTong)"官方市场热榜查询skill。
Verify the publisher through an official GuoTai HaiTong channel before providing an API key.
Using the skill runs local code supplied with the skill.
The skill expects the agent to run its bundled Node script for auth and ranklist calls. This is purpose-aligned, but it means use of the skill executes local JavaScript.
allowed-tools: ["node"] ... `node skill-entry.js mcpClient call ranklist ranklist code=BK101003 ...`
Review or trust the bundled `skill-entry.js` before use, especially because it handles credentials.
Some user queries may be routed to another installed financial-search skill.
The skill may hand off out-of-scope questions to another installed skill. This is disclosed, but it crosses a skill boundary.
若 `gtht-financialsearch-skill` 已安装,则继续尝试调用该 Skill 获取结果
Ensure you also trust the fallback skill before relying on this cross-skill behavior.