ClawHub
Back to skill
v1.0.0

A Stock Analysis.Bak

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:25 AM.

Analysis

The stock-analysis features mostly match the description, but the package identity and portfolio storage path do not match the registry listing, so it deserves review before installation.

GuidanceBefore installing, verify that this .Bak package is from a trusted publisher and is intentionally meant to share the original a-stock-analysis portfolio file. If you use it, be aware that your stock symbols may be sent to Sina Finance and that your local portfolio file may contain sensitive cost and quantity information.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusConcern
_meta.json
"ownerId": "kn707vekcz9f58mg3b3cjs3jc17zye0v", "slug": "a-stock-analysis"

The registry metadata for this review lists a different owner ID and the slug a-stock-analysis-bak, while the packaged metadata identifies a different owner and slug. This creates a concrete provenance and namespace mismatch.

User impactYou may be installing a backup or repackaged copy whose internal identity does not match the registry listing.
RecommendationVerify the publisher/source before installing, and prefer a package whose _meta.json owner and slug match the registry listing.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
uv run {baseDir}/scripts/analyze.py 600789

The quick-start requires running the local scripts through uv, but the registry requirements list no required binaries. This is an under-declared runtime dependency rather than evidence of malicious behavior.

User impactThe skill may not run unless uv is already installed, and users may not see that requirement from the registry metadata.
RecommendationDeclare uv as a required binary or document installation prerequisites clearly before use.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityInfoConfidenceHighStatusNote
SKILL.md
统一使用新浪财经接口... `hq.sinajs.cn` ... `CN_MarketDataService.getKLineData`

The skill discloses that it uses Sina Finance endpoints for real-time and minute-level market data. This is purpose-aligned, but queried stock symbols are sent to an external provider.

User impactSina Finance may see which stock symbols are queried, including symbols from your saved portfolio analysis.
RecommendationUse the skill only if sending queried stock symbols to Sina Finance is acceptable.
Memory and Context Poisoning
SeverityMediumConfidenceHighStatusConcern
scripts/portfolio.py
PORTFOLIO_FILE = Path.home() / ".clawdbot" / "skills" / "a-stock-analysis" / "portfolio.json"

The script persists portfolio data to a hard-coded a-stock-analysis path even though the registry slug is a-stock-analysis-bak. The same file stores portfolio records including cost and quantity, so this can reuse or overwrite data outside the listed package namespace.

User impactThe skill could read, change, or delete portfolio records that belong to another a-stock-analysis installation, and the file contains sensitive financial holdings information.
RecommendationUse a storage path that matches the installed slug, confirm before modifying/removing positions, and back up or inspect the portfolio JSON before using this backup package.