Back to skill
Skillv1.0.1
ClawScan security
Invest Analyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 11:28 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only stock analysis workflow that coherently relies on web search, PDF parsing, and local data extraction; its requirements and instructions align with its stated purpose.
- Guidance
- This skill is coherent for its stated purpose, but before installing: (1) be prepared to grant it network access and to install/enable the referenced helper skills (baidu-search, a PDF parser or agent-browser); (2) if you use baidu-search you may store an API key as suggested — ensure that file (~/.openclaw/env/BAIDU_API_KEY) has strict permissions and that you trust the baidu-search skill; (3) downloaded PDFs will be saved to /tmp/openclaw during runs—avoid placing sensitive files there; (4) validate all AI-extracted financial numbers against the original year‑end reports before acting on recommendations; and (5) vet any third-party code (e.g., the referenced investTemplate repo) before trusting automated pipelines.
Review Dimensions
- Purpose & Capability
- okName/description (个股分析, FCF/四流派) match the instructions: the skill explains how to find year‑end reports, parse PDFs, compute FCF and output recommendations. Suggested external tools (baidu-search, agent-browser, PDF parsers) are reasonable and proportionate to the stated purpose.
- Instruction Scope
- noteSKILL.md instructs the agent to perform web searches, download PDFs to /tmp/openclaw, parse page text, and compute metrics. This is within scope, but it explicitly depends on other skills (baidu-search, pdf parser) and on network + file I/O; it also suggests a convention for storing a BAIDU_API_KEY in ~/.openclaw/env which the agent (or other skills) would read if used.
- Install Mechanism
- okInstruction-only skill with no install spec or binaries — lowest installation risk. No archives, remote downloads, or package installs are requested by this skill itself.
- Credentials
- noteThe skill declares no required env vars, which is proportionate. It does recommend placing a BAIDU_API_KEY in a local file (~/.openclaw/env/BAIDU_API_KEY) for the baidu-search integration; this is optional but means secrets will be stored on-disk and accessible to whatever component reads that path (the baidu-search skill).
- Persistence & Privilege
- okNo always:true, no privileged persistence requested. The skill is user-invocable and does not ask to modify other skills or global agent settings.