VN Stock Scanner
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If inputs are not handled carefully by the agent/runtime, malformed ticker or keyword text could cause command errors or unintended shell interpretation.
The skill relies on exec and substitutes a user-derived stock ticker into a command. This is aligned with the scanner purpose, but raw command invocation should validate and quote user-derived parameters.
Sử dụng tool `exec` gọi lệnh: python3 /home/hoang/.openclaw/workspace/vn-stock-scanner/scripts/scanner.py ticker --ticker <mã_cổ_phiếu>
Use a package-relative script path and pass ticker/keyword values as structured arguments where possible; restrict tickers to expected stock-code characters.
On a different machine, the command may fail or could point to a different local file than the bundled scanner.py.
The command references a user-specific absolute path rather than a package-relative path, so the executed helper's location should be checked against the reviewed artifact.
python3 /home/hoang/.openclaw/workspace/vn-stock-scanner/scripts/scanner.py news --keywords "<từ_khóa>"
Update the skill to reference the included script by a registry/package-relative path and declare python3/requests requirements in the install metadata.
A network attacker could potentially alter the news or ticker data shown to the user.
The script disables certificate verification for HTTPS requests. The external data fetch is purpose-aligned, but this makes spoofed or tampered responses easier to accept.
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) resp = requests.get(url, headers=headers, timeout=10, verify=False)
Enable normal TLS certificate verification and only disable it with explicit user consent for troubleshooting.