Skillv1.7.0

ClawScan security

Astock Data · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 2, 2026, 12:39 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely does what its description says (query A‑share minute data), but several inconsistencies and oddities — a hard-coded shared API token, a forced sys.path insertion to a user-home package path, and mismatched metadata — make the package suspicious and worth closer inspection before use.
Guidance: This skill appears to implement the described market-data queries, but there are multiple red flags you should address before installing or using it with real credentials: - Do not rely on the built-in shared token for production. It is hard-coded in the script (search for the long string) and is shared across users — use your own QGDATA_TOKEN instead. - The script forcibly inserts a path into sys.path that points to ~/china-stock-skill/qgdata_env/..., which is unusual and risky: it will prefer any qgdata package placed there over the standard site-packages. Inspect or remove that line (sys.path.insert(...)) or ensure the directory is safe and not writable by untrusted parties. - Metadata mismatch: the registry metadata claims no required env vars/binaries but SKILL.md requires python3 and QGDATA_TOKEN. Ask the publisher to correct metadata and provide a homepage/source repository so you can verify provenance. - The script has coding issues (duplicate/early __main__ logic) that may cause runtime errors; run it in an isolated/sandbox environment first to test behavior. - If you plan to use this for trading or automated strategies, prefer creating and using a dedicated personal API token, rate‑limit your usage, and verify the qgdata package source (pip install from PyPI or vendor from a trusted repo). If you cannot verify the package provenance and remove the sys.path hack, avoid using the skill with sensitive credentials. If you want, I can: (1) show the exact lines to inspect/remove (sys.path insertion and the hard-coded token), (2) produce a safer wrapper that only uses a system-installed qgdata package, or (3) help craft questions to send to the skill publisher to establish trust.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (A‑share minute-level data via qgdata) matches the code and SKILL.md: it calls qgdata.pro_api to fetch minute K‑line data. However registry metadata claims no required env vars / bins while SKILL.md declares python3 and QGDATA_TOKEN — a clear metadata inconsistency. The code also contains an unexpected sys.path insertion to a user-home qgdata_env path instead of relying on a normal pip-installed package, which is not justified by the SKILL.md instructions.
Instruction Scope: noteSKILL.md instructs installing qgdata and pandas and to set QGDATA_TOKEN or rely on a built-in token; instructions otherwise stay within the stated purpose (querying market data). It references ~/.openclaw/.env for token storage (expected for this platform). No instructions ask the agent to read unrelated system files or exfiltrate data, but the code's behavior (see sys.path modification and built-in token) expands the runtime assumptions beyond the written instructions.
Install Mechanism: okThere is no install spec (instruction-only), which is low risk. SKILL.md suggests pip install qgdata pandas (expected for a Python tool). Nothing is downloaded from arbitrary URLs or obscure hosts. However, the code's forced sys.path insertion suggests it expects a locally vendored qgdata package rather than using the standard installation — an odd design choice but not an install URL risk.
Credentials: concernThe only credential surface is an API token for qgdata (QGDATA_TOKEN), which is appropriate for this skill. Concerns: (1) the code embeds a hard-coded shared 'free' token in plaintext — this is a secret baked into the script and used by all users, which is poor practice and could be abused; (2) SKILL.md and the script read ~/.openclaw/.env and QGDATA_TOKEN but the registry metadata did not declare this requirement, an inconsistency that lowers trust; (3) the sys.path insertion (pointing at ~/china-stock-skill/...) could cause the script to import a malicious qgdata package if that directory is writable/controlled on the host.
Persistence & Privilege: okThe skill does not request always:true, no install spec writes to disk, and it does not modify other skills or system-wide settings. It reads ~/.openclaw/.env (platform-config path) which is expected for storing a token. No persistent privileged behavior is requested.