Skillv1.0.4

ClawScan security

Shanghai Stock Exchange Composite Index - 上证股票指数 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 3, 2026, 9:32 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requested API key align with its stated purpose of fetching minute-level Chinese stock index data from JisuAPI; no signs of unrelated or excessive access were found.
Guidance: This skill appears to do what it says: call JisuAPI to fetch minute-level stock-index data and print the JSON result. Before installing, (1) ensure you trust JisuAPI and understand its pricing/limits and privacy policy, (2) protect your JISU_API_KEY (treat it like a secret and do not share it), (3) ensure the runtime has Python 3 and the 'requests' library installed (pip install requests) since the script depends on it, and (4) verify network access to https://api.jisuapi.com. If you need stronger guarantees, review the included stockindex.py yourself — it is short and straightforward (it only reads JISU_API_KEY and performs an HTTPS GET).

Purpose & Capability: noteName/description, required JISU_API_KEY, and the network calls to api.jisuapi.com are coherent for a JisuAPI-based stock-index skill. Minor inconsistency: the Python script uses the third-party 'requests' library but the metadata and SKILL.md only require 'python3' and do not mention installing 'requests' as a runtime dependency.
Instruction Scope: okSKILL.md instructs the agent to set JISU_API_KEY and run the provided script; the instructions do not request unrelated files, secrets, or system state. The script only reads the declared JISU_API_KEY and performs an HTTPS request to the documented API.
Install Mechanism: noteThere is no install spec (instruction-only install), which keeps risk low. Note: a code file is included but no install steps are provided; users must ensure Python and the 'requests' package are available in the environment before running the script.
Credentials: okOnly JISU_API_KEY is required and is the primary credential for the JisuAPI service; no other credentials, config paths, or unrelated environment variables are requested or accessed.
Persistence & Privilege: okThe skill does not request permanent presence (always is false), does not modify other skills or system-wide settings, and has no special persistence or privileged installation behavior.