Skillv1.3.0

ClawScan security

investoday-stock-research-interpretation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 28, 2026, 7:04 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This instruction-only skill is internally consistent with its stated purpose: it calls a separate finance-data skill to fetch public A‑share research data and produces structured, evidence-constrained reports; it requests no installs or credentials itself.
Guidance: This skill appears coherent and low-risk by itself: it only describes querying a finance-data skill for public research and formatting a report, and it doesn't request credentials or install code. Before installing, check the dependent skill investoday-finance-data: verify what API endpoints and credentials it requires, where those credentials are stored, and its privacy/retention policy. Confirm the finance-data skill actually returns only public market data (and not user data) and that you are comfortable with the agent's ability to call that tool autonomously. Remember this skill explicitly says it will not give buy/sell recommendations — if you need regulatory compliance or stricter data controls, review the dependent skill and runtime environment before enabling.

Review Dimensions

Purpose & Capability: okThe name/description (A股研报解读) match the instructions: the SKILL.md details searching stocks, fetching basic info, sentiment and forecast/ratings, and then producing a structured report. All required operations relate to collecting and summarizing sell-side research, which is coherent with the stated purpose.
Instruction Scope: okThe instructions strictly describe using tool IDs provided by the dependent investoday-finance-data skill (search, stock/basic-info, research/sentiment, report/stock-forecast-ratings) and a five-step analysis framework. There are explicit evidence constraints and no steps that read arbitrary local files, request unrelated environment variables, or transmit data to unexpected endpoints within this SKILL.md.
Install Mechanism: okNo install spec and no code files — instruction-only. That minimizes on-disk risk. Nothing is downloaded or installed by this skill itself.
Credentials: noteThis skill declares no required env vars or credentials, which is proportionate. However it depends on investoday-finance-data; that other skill may require API keys, endpoints, or credentials. The security posture therefore depends on the dependent skill's privileges and handling of credentials.
Persistence & Privilege: okalways is false and model invocation is not disabled (normal). The skill does not request persistent presence or system-wide configuration changes. The SKILL.md claims not to record or store queries — this is a behavioral claim in the docs and not enforced by the manifest itself.