Skillv1.0.7

ClawScan security

Stock Historical Data Query - 股票历史行情查询 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 3, 2026, 9:52 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requested credential (JISU_API_KEY) match its stated purpose (querying JisuAPI stock history); nothing appears disproportionate or covert.
Guidance: This skill appears to do exactly what it says: call JisuAPI to fetch historical stock data. Before installing, confirm you are comfortable granting the skill your JISU API key (it is required and used to call api.jisuapi.com). Ensure the runtime has Python 3 and the 'requests' package (pip install requests) or add that dependency. Be aware calls will make network requests to JisuAPI (check quota, costs, and privacy of data sent). If you want extra caution, create a dedicated JisuAPI key with limited quota for this skill.

Purpose & Capability: okName/description ask for historical stock data and the skill uses the JisuAPI stockhistory endpoints and requires a JISU_API_KEY — this is coherent and expected.
Instruction Scope: okSKILL.md instructs the agent to call the included Python script with JSON parameters and to set JISU_API_KEY; the script only contacts api.jisuapi.com and returns API responses. It does not read unrelated files, other env vars, or transmit data to unexpected endpoints.
Install Mechanism: noteNo install spec (instruction-only), which limits disk writes. However, the included Python script depends on the third-party 'requests' library which SKILL.md does not mention or install; the runtime must provide requests or the user must pip-install it.
Credentials: okOnly a single API key (JISU_API_KEY) is required and is justified by the use of JisuAPI. No unrelated credentials or config paths are requested.
Persistence & Privilege: okalways is false and the skill does not request elevated or persistent platform privileges. It does outbound HTTP calls to the declared API only.