Skillv0.6.2

ClawScan security

A股多智能体投研-15 AI 分析师 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 29, 2026, 1:49 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime behavior are coherent with its stated purpose (calling a remote TradingAgents API to analyze A‑share symbols); nothing requests unrelated credentials or installs arbitrary code.
Guidance: This skill appears coherent: it simply submits symbol/date/horizon parameters to a remote TradingAgents API using the provided token. Before installing: (1) Only provide a minimal-privilege API token (the skill suggests tokens of the form ta-sk-*); rotate or revoke it if exposed. (2) If you need stronger data control, self-host the backend and set TRADINGAGENTS_API_URL to your server as documented. (3) Confirm you trust the endpoint https://api.510168.xyz (or your chosen API URL) because analysis results and the symbols you query will go there. (4) Note the script accepts optional POLL_INTERVAL/POLL_TIMEOUT environment vars (not listed as required in metadata) — these are harmless operational settings. (5) Do not paste personal account details or real position data into requests, as the skill warns, because anything you submit as the symbol/parameters will be transmitted to the API.

Review Dimensions

Purpose & Capability: okName/description describe a remote multi-agent stock analysis service. Declared requirements (TRADINGAGENTS_TOKEN, TRADINGAGENTS_API_URL, curl, python3, bash) align with using a web API and the provided shell script to submit jobs and poll results.
Instruction Scope: noteSKILL.md and scripts/analyze.sh show the agent/script only submits symbol/trade_date/horizons to the API and uses Authorization: Bearer $TRADINGAGENTS_TOKEN. The skill states it does not forward raw conversation text — that is consistent with the script (the script accepts explicit symbol args). One small note: the SKILL.md mentions optional env vars POLL_INTERVAL and POLL_TIMEOUT (and the script uses them) but those are not included in metadata.requires.env; they are non-sensitive operational settings and not a major issue, but SKILL.md references environment variables beyond the declared required env list.
Install Mechanism: okThis is instruction-only with a small, readable bash script. No install spec, no downloads or extracted archives, and required system binaries (curl/python3/bash) are reasonable and expected.
Credentials: okOnly TRADINGAGENTS_TOKEN (primary) and optionally TRADINGAGENTS_API_URL are required. These are proportional and necessary for accessing the remote API. No unrelated secrets or broad cloud credentials are requested. (Operational envs POLL_INTERVAL/POLL_TIMEOUT are referenced in instructions but are benign and optional.)
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills, and has no install actions that grant persistent system privileges. Autonomous invocation is allowed (platform default) and appropriate for this API-invoking skill.