A股/港股/美股数据查询
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A portfolio-related query could cause the agent to run unreviewed local code and potentially read or change local holding records.
The skill can execute a Python script outside the supplied skill files for portfolio operations. That script is not in the manifest, and this behavior is outside the stated stock-data lookup purpose.
portfolio_script = os.path.join(os.path.dirname(__file__), "..", "a-stock-analysis", "scripts", "portfolio.py") ... subprocess.run(["python3", portfolio_script, "remove", code_match.group(1)], ...)
Remove the portfolio branch, include and review the helper script, or require a separate explicit opt-in skill with clear user confirmation before any local portfolio operation.
A user or agent might unintentionally trigger local portfolio handling through ordinary holdings-related wording.
Portfolio wording is automatically classified into the PORTFOLIO handler even though SKILL.md says not to use the skill for local holdings management.
if any(k in query for k in ["持仓", "仓位", "我的股票"]):
return PORTFOLIODisable this route for this skill, or make portfolio management a clearly documented, separately invoked capability with confirmation and bounded file access.
Stock questions, symbols, and any personal details included in the query may be transmitted to the hosted service.
The skill sends the user’s natural-language stock query and parsed fields to a hosted service. This is disclosed and central to the skill, but it is still an external data flow.
DEFAULT_SERVICE_URL = "https://akshare.devtool.uk" ... payload = {"intent": intent_obj.intent, "query": intent_obj.query or "", "symbol": intent_obj.symbol, ...}Use the skill for market-data questions only, avoid including private portfolio or account details, and review the hosted service’s trustworthiness before relying on it.