Skillv1.0.0

ClawScan security

A股龙头股识别 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 15, 2026, 6:13 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: An instruction-only trading heuristics skill whose content matches its stated purpose, but it omits any guidance about how to obtain live market data or execution permissions and contains simple rules that carry financial risk.
Guidance: This skill is a short, coherent set of trading heuristics (how to spot a sector leader) and contains no code or installers. Before relying on it: (1) ensure the agent or your environment provides accurate real-time market data (order-book/封单量, circulating shares, turnover rate) — the skill does not specify data sources or API keys; (2) do NOT grant any brokerage/trading credentials to an autonomous agent without careful controls — the skill implies 'follow' but does not implement safe execution; (3) remember these are simple heuristics and carry financial risk — test on historical data or in paper trading first; (4) if you plan to make the agent act on signals, require explicit user confirmation and limit any automated trading permissions.

Review Dimensions

Purpose & Capability: noteThe skill's name, description, and SKILL.md are aligned: it provides heuristics for identifying A-share sector leaders (涨停, 封单比, 换手率, 题材叠加). However, the rules implicitly require real-time market data (price, limit-up status, order book/封单量, circulating shares, turnover rate) which the skill does not declare how to obtain (no APIs, env vars, or data-source instructions). That omission is notable but not necessarily malicious.
Instruction Scope: noteSKILL.md contains only decision rules and a simple workflow (identify first limit-up, check 封单 and 题材, then follow). It does not instruct the agent to read local files, use credentials, or call external endpoints. It does, however, assume access to real-time market data and implicitly recommends trading actions ('直接跟进'), so users should be aware it is advisory and lacks concrete data-feed or execution safeguards.
Install Mechanism: okInstruction-only skill with no install spec and no code files. No software is written to disk and no external packages are pulled in — low install risk.
Credentials: noteThe skill requests no environment variables or credentials. In practice, implementing these heuristics requires market-data APIs and possibly brokerage/execution credentials; the absence of declared data-source requirements is a gap that a deploying agent or user must fill explicitly.
Persistence & Privilege: okNo special persistence requested (always:false). The skill does not request elevated agent privileges or modify other skills' configurations.