Back to skill
Skillv0.1.0
ClawScan security
HK IPO Orchestrator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 16, 2026, 4:13 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, required binary, config paths, and runtime instructions are coherent with an orchestrator for a local HK IPO CLI; it reads/writes its own config/db and calls public data sources, which matches its stated purpose.
- Guidance
- This skill packages a full hkipo-next CLI that will (1) install or expect a 'uv' runner, (2) read and possibly modify files under ~/.hkipo-next (profile.json, watchlist.json, hkipo.db), and (3) make outbound HTTP requests to public data sources (aipo.myiqdii.com, aastocks.com, hkex, qt.gtimg.cn, etc.). It does not request cloud credentials or hidden env vars. Before installing, review and back up ~/.hkipo-next if you have existing data, confirm you are comfortable the skill can read/write that directory, and ensure installing the 'uv' Homebrew formula is acceptable on your system. If you need higher assurance, inspect runtime network hosts in the code and run the CLI in a sandboxed environment first.
Review Dimensions
- Purpose & Capability
- okName/description (HK IPO orchestration) match what is provided: a Python CLI (hkipo-next) with many adapters for AiPO, AAStocks, HKEX, etc. Requiring the 'uv' runner and local config/db under ~/.hkipo-next is consistent with the CLI design.
- Instruction Scope
- okSKILL.md directs routing across companion skills and declares the config files the tool uses. The packaged code performs network calls to public data sources and reads/writes the declared profile/watchlist/db files — this is within the expected scope. There are no instructions to read unrelated system files or to exfiltrate arbitrary secrets.
- Install Mechanism
- okInstall spec is a Homebrew formula for 'uv' which the README/usage references as the runner. Homebrew is a standard install mechanism; no arbitrary URL downloads or archive extractions are present in the manifest.
- Credentials
- okThe skill requests no environment variables or external credentials. It does declare config paths (~/.hkipo-next/config/profile.json, ~/.hkipo-next/config/watchlist.json, ~/.hkipo-next/data/hkipo.db) which the code legitimately reads and may mutate (profiles, watchlists, reviews). This level of local file access is proportionate for its functionality.
- Persistence & Privilege
- okalways:false and normal autonomous invocation. The skill works with its own local config/db but does not request system-wide persistence or modify other skills. No elevated privileges or force-inclusion flags are present.