A股/港股/美股数据查询
ReviewAudited by ClawScan on May 10, 2026.
Overview
The stock-data skill mostly matches its purpose, but it includes an out-of-scope local portfolio branch that can run an unreviewed script outside the skill.
Install only if you are comfortable sending stock-query text to akshare.devtool.uk. Avoid using this skill for local portfolio or holdings management unless the maintainer removes or clearly documents the external portfolio script and adds explicit confirmation.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A portfolio-related query could cause the agent to run unreviewed local code and potentially read or change local holding records.
The skill can execute a Python script outside the supplied skill files for portfolio operations. That script is not in the manifest, and this behavior is outside the stated stock-data lookup purpose.
portfolio_script = os.path.join(os.path.dirname(__file__), "..", "a-stock-analysis", "scripts", "portfolio.py") ... subprocess.run(["python3", portfolio_script, "remove", code_match.group(1)], ...)
Remove the portfolio branch, include and review the helper script, or require a separate explicit opt-in skill with clear user confirmation before any local portfolio operation.
A user or agent might unintentionally trigger local portfolio handling through ordinary holdings-related wording.
Portfolio wording is automatically classified into the PORTFOLIO handler even though SKILL.md says not to use the skill for local holdings management.
if any(k in query for k in ["持仓", "仓位", "我的股票"]):
return PORTFOLIODisable this route for this skill, or make portfolio management a clearly documented, separately invoked capability with confirmation and bounded file access.
Stock questions, symbols, and any personal details included in the query may be transmitted to the hosted service.
The skill sends the user’s natural-language stock query and parsed fields to a hosted service. This is disclosed and central to the skill, but it is still an external data flow.
DEFAULT_SERVICE_URL = "https://akshare.devtool.uk" ... payload = {"intent": intent_obj.intent, "query": intent_obj.query or "", "symbol": intent_obj.symbol, ...}Use the skill for market-data questions only, avoid including private portfolio or account details, and review the hosted service’s trustworthiness before relying on it.