StockEarning
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a disclosed StockEarning portfolio skill that uses an API key and can update portfolio records, with behavior that is mostly scoped and confirmation-oriented.
Install this only if you trust StockEarning.cn and want an agent to access and update your portfolio records. Store the API key in the recommended 600-permission file, review every write confirmation carefully, and avoid custom STOCK_BASE_URL values unless you explicitly trust the endpoint.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user confirms the wrong trade or adjustment, the StockEarning portfolio records and analytics may become inaccurate.
The wrapper permits authenticated API calls that mutate StockEarning portfolio records. This matches the stated portfolio-management purpose, and the SKILL instructions require confirmation for trade writes, but users should treat all writes as account-changing actions.
Allowed write endpoints include `/api/trades/` for POST and `/api/positions/[0-9]+/edit` for PUT.
Review the confirmation checklist before any write, and prefer the query-only subskills when you only want market or portfolio information.
Anyone or any agent with this key could access or modify the StockEarning data allowed by that key.
The skill requires a StockEarning API key and sends it with each API request. This is expected for the service integration, but it grants access to the user's StockEarning account.
环境变量: `STOCK_API_KEY` ... 所有请求均使用 HTTP Header:`X-API-Key: $STOCK_API_KEY`
Use a revocable API key, store it securely, and revoke or rotate it if the local machine or skill environment may be compromised.
A maliciously modified stockearning.env file could run local commands under the user's account.
The credential loader sources local env files as shell scripts. This is a common setup pattern and the code warns about loose permissions, but a tampered env file could execute shell commands when the skill runs.
se_try_load_env_file() { ... source "$file" ... }Keep the env file owned by you with 600/400 permissions, and keep it to simple `export STOCK_API_KEY=...` content.
Install-time prompts may not fully reflect that the skill needs an API key.
The registry requirement summary under-declares the credential need even though the capability signal and the skill artifacts disclose STOCK_API_KEY. This is a metadata consistency issue rather than hidden behavior.
Required env vars: none ... Primary credential: none ... Capability signals: requires-sensitive-credentials
Read the SKILL.md/plugin.json setup instructions and configure the API key intentionally before using account features.