Skillv1.0.0

ClawScan security

Earnings Reader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 2, 2026, 10:21 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions tell the agent to run a local Python script and expect AKShare data, but the repository provides no code or install/dependency declarations — the runtime requirements are missing and inconsistent with the skill metadata.
Guidance: This skill's documentation expects you to run a local Python script (skills/akshare-finance/scripts/earnings.py) with python3.12 and to use AKShare/东方财富 data, but the skill package contains no code or install instructions. Do not run unknown scripts. Before installing or enabling this skill, ask the publisher for: (1) the missing earnings.py (or include it in the skill), (2) a clear dependency list and installation steps (Python version, AKShare), and (3) confirmation that no credentials or sensitive files are needed. If you must run the provided commands, inspect the earnings.py source yourself to ensure it only fetches financial data and does not access or exfiltrate unrelated files or secrets.

Review Dimensions

Purpose & Capability: concernThe skill name/description (A股财报研读) matches the instructions' intent (financial-statement analysis). However the SKILL.md expects a local script at skills/akshare-finance/scripts/earnings.py and a specific Python binary (python3.12), but the skill package contains no code files and declares no required binaries or dependencies (e.g., AKShare). That mismatch means required capabilities are not provided or declared.
Instruction Scope: concernRuntime instructions are limited to running a local Python script and formatting analysis output; they do not request unrelated system files or secrets. The main issue is that the instructions require executing an external script path that is not included with the skill. Executing an out-of-band/unseen script is a risk because its behavior is unknown.
Install Mechanism: okThere is no install spec (instruction-only skill), so nothing is downloaded or written by an installer. This lowers installation risk but amplifies the problem that required code/dependencies are missing.
Credentials: noteThe skill declares no environment variables or credentials, which is consistent with a read-only data-analysis utility. However SKILL.md assumes a specific Python executable (python3.12) and use of AKShare/东方财富 as the data source — these dependencies are not declared. The lack of declared dependencies or instructions for installing AKShare/Python is an incoherence.
Persistence & Privilege: okThe skill does not request always: true and has no install behavior that modifies agent-wide settings. Model invocation is allowed (default), which is normal for skills.