Skillv1.0.0

ClawScan security

Akshare Integrated · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 14, 2026, 3:53 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's documentation describes an AKShare-based stock-selection tool, but the runtime instructions reference a CLI and Python package that are not provided or installed by the skill bundle, creating an incoherence that warrants caution.
Guidance: This SKILL.md describes a useful AKShare-based stock selector but is missing the actual CLI/package/server that the examples call (stock-selector-akshare and stock_selector_akshare). Before installing or running anything: 1) Ask the publisher for the authoritative source (PyPI package name, GitHub repo, or published binary) that provides the CLI/module and the service API; 2) verify the source code or release artifact and its integrity (review repository, maintainers, and recent commits); 3) avoid blindly running 'pip install' in a production environment—install in an isolated environment (virtualenv/container) and inspect dependencies; 4) if you must run a local API server, ensure it’s from a trusted repository and run with least privilege and network restrictions; 5) confirm licensing, data sources, and rate limits for AKShare usage. The main issue here is incoherence (missing runtime artifacts), not explicit malicious behavior, but that gap increases risk if you search for and install third-party code to fill it.

Review Dimensions

Purpose & Capability: noteThe skill claims to integrate AKShare for real-time stock selection, and the declared dependencies (akshare, pandas, numpy) are consistent with that purpose. However, the SKILL.md repeatedly references a CLI 'stock-selector-akshare' and a Python module 'stock_selector_akshare' (and an HTTP API at localhost) that are not included, published, or installed by the instructions—there is no install spec or package name that would provide those artifacts. That mismatch means a user following the instructions will not get the advertised CLI/module unless they obtain additional code from elsewhere.
Instruction Scope: noteInstructions focus on fetching data via AKShare and computing scores, which is within scope. They do not request unrelated files or secrets. Concern: instructions assume running a local service and a CLI/module without giving installation/source for that service, and leave implementation details vague (caching, backup sources, API endpoints). This ambiguity could lead the operator to install third-party code from unknown sources.
Install Mechanism: noteThere is no formal install spec in the skill bundle; SKILL.md suggests 'pip install akshare pandas numpy'. Installing packages from PyPI is typical but executes code from external registries—expected for this purpose but still a security consideration. Importantly, the SKILL.md does not provide any package or repository for the 'stock-selector-akshare' CLI or the 'stock_selector_akshare' Python module, so the bundle itself supplies no runtime artifacts.
Credentials: okThe skill requests no environment variables, credentials, or config paths. Nothing in the documentation asks for unrelated secrets. This is proportionate to the stated purpose.
Persistence & Privilege: okThe skill does not request 'always: true', does not include install-time scripts in the bundle, and does not declare modifying other skill or system configuration. It requires no persistent privileges within the agent manifest.