ClawHub

悟道 · A股涨停板

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This appears to be a read-only A股 limit-up data skill that clearly uses a third-party API key, with no code or persistence, but users should verify the provider and protect the key.

This skill is reasonable for fetching A股涨停板 data. Before installing, confirm that stock.quicktiny.cn is the provider you intend to use, configure only a dedicated LB_API_KEY, and make sure LB_API_BASE remains set to the documented API URL.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Info
What this means

The agent may contact the stock-data API to answer relevant questions, but the provided artifacts do not show account mutation or destructive actions.

Why it was flagged

The skill scopes the agent to documented API paths and parameters, which reduces tool-misuse risk while still indicating the agent will make external API calls.

Skill content
仅使用本文「Endpoints」中列出的路径与参数
Recommendation

Keep requests limited to the documented endpoints and confirm LB_API_BASE is the intended provider URL before use.

#
ASI03: Identity and Privilege Abuse
Low
What this means

If the API key is exposed or sent to the wrong base URL, someone could use the user's provider account or quota.

Why it was flagged

The skill requires and uses a bearer API key for the external stock-data service; this is expected for the purpose but is still credentialed access.

Skill content
export LB_API_KEY="lb_your_key_here" ... curl -s -H "Authorization: Bearer $LB_API_KEY" "$LB_API_BASE/endpoint"
Recommendation

Use a dedicated, revocable API key; do not paste real keys into chat; and keep LB_API_BASE set to the intended service URL.

#
ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

Users have less registry-level provenance for the skill/provider before registering for the external API service.

Why it was flagged

The registry does not provide source or homepage provenance. Because the skill is instruction-only with no install script or code files, this is a notice rather than a concern.

Skill content
Source: unknown; Homepage: none
Recommendation

Verify the provider website and account/API-key process independently before installing or configuring the skill.