持仓诊断分析
WarnAudited by ClawScan on May 10, 2026.
Overview
This stock-analysis skill is mostly aligned with its stated purpose, but it uses unsafe code execution and hard-coded outside import paths that should be reviewed before use.
Do not use this skill on an unsandboxed machine until the maintainer replaces eval/exec with safe data parsing and removes hard-coded external import paths. If you still test it, review the holdings files first, run it in a restricted environment, and remember that its output is not investment advice.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the remote response or network path were compromised, running the holdings analysis could execute arbitrary Python code on the user's machine.
The script evaluates text returned from a remote Tencent market-data endpoint as Python code instead of parsing it as data.
raw = eval(text)['data'][prefix+code]['qfqday']
Replace eval with safe parsing such as json.loads after stripping the callback wrapper, and validate the response schema before use.
A poisoned or accidentally modified holdings file could run code when the user only expects stock-position data to be read.
The main script executes the holdings data file as Python code even though SKILL.md presents it as a simple list of holdings to edit.
exec(open(_std, encoding='utf-8').read(), _h)
Store holdings in JSON, CSV, or another data-only format, or parse the HOLDINGS literal safely without executing the whole file.
The skill may load code from outside the reviewed package, and a file at that path could override bundled modules or change behavior unexpectedly.
The script prepends a hard-coded external skill/workspace directory to Python's import path before importing analysis modules.
sys.path.insert(0, 'C:/Users/Administrator/.qclaw/workspace-ag01/skills/trend-launch-scanner')
Remove hard-coded absolute import paths, use bundled reviewed modules, and declare any external dependency with clear provenance and versioning.
Tencent or network observers of the API traffic may learn which stock symbols are being queried, which can indirectly reveal portfolio interests.
The skill discloses that it calls Tencent APIs for market data; the code uses stock codes from holdings in those requests.
调用腾讯API获取实时行情
Use only with holdings you are comfortable querying through Tencent market-data APIs, and document this data flow clearly for users.
Local files may retain sensitive financial-position details after the analysis is complete.
The main script writes holdings-analysis results, including prices, profit percentages, and actions, to a persistent local JSON file.
out_path=os.path.join(_BASE,'holdings_result.json')
Review generated files and delete them if the holdings or profit information is sensitive.