Skillv1.0.0

ClawScan security

query and monitor stock · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 5, 2026, 9:36 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The code mostly matches a stock-quote and monitoring skill, but there are inconsistencies (undeclared dependency on an external CLI, a broken test file parameter, and no install guidance) that deserve attention before installing or running it.
Guidance: This package appears to implement the advertised stock-quote and monitor features, but do not run it blindly. Before installing or running: 1) Ensure you trust the repository and inspect the code (monitor.py uses subprocess to call a local 'openclaw' CLI to send alerts and will spawn a persistent child process and write files under data/ and logs/). 2) Install Python deps from requirements.txt (akshare, pandas, requests) and confirm the environment can reach xueqiu.com. 3) Make sure the 'openclaw' binary is installed and configured (credentials for delivering messages live outside this package) or change _send_alert to use a mechanism you trust. 4) Note a functional inconsistency: test.py calls start_monitor(names=[...]) but start_monitor expects (target, interval, threshold) — treat test.py as broken and avoid running it until fixed. 5) Run the code in an isolated environment (or sandbox) first, and inspect data/ files created (watchlist.json, xueqiu_token.json, monitor.pid, logs) and the messages sent by openclaw. If you need the monitor feature but do not want automatic messaging, modify _send_alert to log locally or to a safe endpoint.

Review Dimensions

Purpose & Capability: concernThe skill's name/description (A股行情查询、管理自选股与监控) aligns with the code (quote/search/watchlist/monitor). However the monitor sends alerts by invoking a local CLI 'openclaw' via subprocess without declaring that binary as a requirement; the registry metadata lists no required binaries. Also test.py calls start_monitor(names=[...]) but the real start_monitor signature expects (target, interval, threshold) — this mismatch is a functional inconsistency (likely a bug) that means included files haven't been fully validated.
Instruction Scope: noteSKILL.md instructs running Python one-liners and using the package from the project root, setting a monitor_target (openId), and starting/stopping the monitor. The runtime instructions reference local config and data files (data/config.json, data/watchlist.json, logs/, etc.) which is expected. It does not explicitly document the need for the external 'openclaw' command (used to deliver alerts) or system permissions required to spawn background processes and write files; that omission widens agent discretion and is worth flagging.
Install Mechanism: noteThere is no install spec (instruction-only from platform perspective) but the bundle includes code and a requirements.txt (akshare, pandas, requests). This is reasonable for functionality, but the package does not provide an automated install step or declare that the 'openclaw' CLI must be present on PATH. The lack of an install step means users may run code without satisfying runtime prerequisites.
Credentials: noteThe skill requests no environment variables or credentials. It contacts xueqiu.com for quotes (via requests) and caches cookies/tokens locally (data/xueqiu_token.json). It also calls a local 'openclaw' binary to send messages to an openclaw target (user:ou_xxx). Not requesting credentials is proportional, but relying on a configured local messaging CLI (openclaw) without declaring it is an unexplained dependency — make sure the CLI is present and configured before use.
Persistence & Privilege: noteThe skill persists state under its own data/ and logs/ directories and spawns a background monitor subprocess (writes monitor.pid). always:false (good). Writing local files and running a long-lived child process are reasonable for this purpose, but be aware the background process will continue running independently and will call out to the network (xueqiu) and to the 'openclaw' CLI to send messages.