Skillv1.0.0

ClawScan security

fund-analyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 7:39 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement fund lookup and analysis using web-scraping scripts (mostly from eastmoney), but there are inconsistencies between the declared data source/documentation and the actual code (mentions of Alipay and simulated login/cookies), so review before use.
Guidance: This skill's code (Python scripts) performs web requests to fund.eastmoney.com and parses returned HTML/JS to produce fund metrics — that matches its purpose. However: 1) the documentation inconsistently mentions Alipay and simulating login/cookies (and even a placeholder fund.1234567.com), while the scripts target eastmoney; this mismatch could cause future instructions to request cookies or credentials — do NOT provide account cookies or secrets unless you fully trust and inspect updated code. 2) Review the included scripts locally before running, and run them in an isolated environment (container or VM) if you are unsure. 3) The install.sh assumes a ~/.codebuddy/skills path; confirm that path and the script before executing. 4) The scripts make network requests — expect rate limits and respect the site's terms of service. If you want a stronger assessment, provide provenance (who published the skill) or confirm whether the maintainer intends to use Alipay data (and how credentials/cookies would be handled).

Review Dimensions

Purpose & Capability: noteName/description: fund analysis. The included Python scripts implement scraping and analysis against fund.eastmoney.com (天天基金/东方财富) which is coherent with the stated features. However SKILL.md and references/guide.md sometimes claim data comes from 支付宝 (Alipay) and reference a fund.1234567.com and simulating login/cookies — none of which the scripts actually use. This mismatch is an inconsistency to be aware of but not necessarily malicious.
Instruction Scope: noteRuntime instructions direct the agent/user to run local scripts that only perform HTTP requests to eastmoney endpoints and parse returned HTML/JS. The scripts do not read arbitrary local files or environment variables. The discrepancy: docs mention simulating login and cookies for Alipay data, but scripts don't implement login or request credential input — ambiguous guidance could lead to follow-up instructions asking for cookies.
Install Mechanism: okNo remote install spec; an included install.sh only sets execute bits and checks a local ~/.codebuddy/skills/fund-analyzer path. No downloads from third-party URLs or archives — low install risk.
Credentials: noteThe skill declares no required env vars or credentials and the code does not require secrets. But documentation mentions simulated login and cookies for Alipay pages; if a later change or maintainer asks you to provide cookies/credentials, that would be disproportionate and risky. As shipped, no credentials are required.
Persistence & Privilege: okSkill is user-invocable only (always: false). It does not request persistent elevated privileges or modify other skills. install.sh only touches its own directory and script permissions.