v1.0.0

A Stock Analysis Conflict

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:24 AM.

Analysis

The stock analysis behavior is mostly coherent, but the package identity and portfolio storage path do not match the registry slug, so it deserves review before installation.

GuidanceInstall only if you trust the publisher and confirm the slug/owner mismatch is intentional. Expect the skill to store your local portfolio cost and quantity data in a JSON file and to query Sina Finance for ticker data; review or back up that file before using portfolio mutation commands.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

_meta.json

"ownerId": "kn707vekcz9f58mg3b3cjs3jc17zye0v", "slug": "a-stock-analysis", "version": "1.0.0"

The package self-identifies as owner kn707... and slug a-stock-analysis, while the supplied registry metadata identifies owner kn783... and slug a-stock-analysis-conflict. This mismatch is a concrete provenance and identity concern.

User impactA user may think they are installing one registry package while the artifacts identify themselves as a different package, making origin and update trust harder to verify.

RecommendationVerify the publisher and intended slug before installing; the package metadata should be corrected so registry identity, SKILL.md, and _meta.json agree.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusConcern

scripts/portfolio.py

PORTFOLIO_FILE = Path.home() / ".clawdbot" / "skills" / "a-stock-analysis" / "portfolio.json"

The portfolio file path is hard-coded to a-stock-analysis rather than the evaluated registry slug a-stock-analysis-conflict. The file stores persistent position data such as stock code, cost, and quantity.

User impactThe skill could read, update, or delete portfolio records associated with a differently named skill path, causing unexpected sharing, overwrite, or stale-data reuse.

RecommendationUse a storage path that matches the installed slug, and back up or inspect any existing portfolio.json before using add, update, remove, or analyze commands.