Skillv1.2.0

ClawScan security

A股短线交易决策 A Share Short Term Decision · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 14, 2026, 3:59 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, runtime instructions, and requested resources are coherent with its stated purpose (A‑share short‑term decisioning); it requires market-data libraries (akshare, pandas) and writes local artifacts but does not request unrelated credentials or hidden network endpoints.
Guidance: This skill appears to be what it claims: a short‑term A‑share decision tool that fetches market data (via akshare), scores candidates, writes logs and JSON artifacts into a local data/ folder, and can optionally update config.json via the optimization subskill. Before installing or running: 1) Be prepared to install akshare and pandas (not declared in registry metadata—install manually or review dependency policy). 2) Inspect config.json and data/ to ensure you are comfortable with files being written/overwritten (the optimizer can overwrite config.json when run with --apply-to-config). 3) Expect the skill to make outbound HTTP requests through the akshare library to fetch market data (normal for this purpose). 4) Run it in a sandbox or non‑privileged environment if you want to limit effects on your filesystem. 5) If you want stricter control, avoid running the optimizer's --apply-to-config flag and review produced artifacts before applying them.

Review Dimensions

Purpose & Capability: okName/description (short‑term A‑share decisioning) matches what the code does: market sentiment, sector rotation, stock scanning, capital‑flow analysis, scoring, logging and report generation. The use of akshare/pandas is expected for this purpose.
Instruction Scope: okSKILL.md instructs running the included Python CLI (main.py) and subskill scripts; those commands map directly to functions in the code. The skill reads/writes local files under data/, reads config.json, and contacts market data via akshare — all within the stated scope. It enforces a required no‑recommendation message when no candidates exist.
Install Mechanism: noteNo install spec is declared in the registry; the README suggests 'pip install akshare pandas'. That mismatch (no declared dependencies in metadata) is a usability/packaging omission but not malicious. There are no downloads from arbitrary URLs or extract/install steps in the skill bundle itself.
Credentials: okThe skill does not declare or require any sensitive environment variables or credentials. It optionally reads SHORT_DECISION_DEBUG and SHORT_DECISION_FALLBACK_ENABLED for debug/fallback behavior — reasonable for development/runtime toggles and documented in code. No secret exfiltration patterns observed.
Persistence & Privilege: notealways:false (no forced persistent inclusion). The skill writes logs and artifacts under data/ (decision_log.jsonl, today_recommendation_*.json, config optimization outputs). The config-optimization subskill has an explicit --apply-to-config option that can overwrite the repository's config.json; this is a legitimate feature but worth noting because it mutates config files if invoked.