ClawHub

Stock Inquiry - 股票查询

AdvisoryAudited by Static analysis on Apr 30, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence
ASI03: Identity and Privilege Abuse
What this means

Your JisuAPI key will be used when the agent queries stock data, and those requests may count against your provider quota or plan.

Why it was flagged

The script reads the user's JisuAPI key from the environment and sends it to the external stock API as a request parameter. This is disclosed and purpose-aligned, but it is still credential use.

Skill content
appkey = os.getenv("JISU_API_KEY") ... all_params = {"appkey": appkey} ... requests.get(url, params=all_params, timeout=10)
Recommendation

Use a dedicated JisuAPI key if possible, keep it private, and monitor quota or billing on the provider account.