v1.0.1

A股智投大师

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:23 AM.

Analysis

The skill appears coherent for A-share stock analysis, with disclosed but noteworthy use of an API key, external provider calls, companion skill auto-installation, and watchlist or alert changes.

GuidanceBefore installing, review the five auto-installed companion skills, configure only the API key you intend to use, and require confirmation before the agent changes watchlists or monitoring rules. Do not treat its stock analysis as guaranteed investment advice.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

SKILL.md

"requires": { "skills": ["mx-data", "mx-search", "mx-select-stock", "mx-selfselect", "stock-monitor-skill"], "action": "auto-install" }

The skill declares automatic installation of five companion skills. These dependencies are directly related to the stated stock-analysis purpose, but the artifacts do not pin versions or identify dependency publishers.

User impactInstalling this skill may also install or enable other stock-data, search, watchlist, screening, and monitoring skills.

RecommendationReview the dependent skills and their permissions before allowing auto-installation.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

scripts/a_stock_analysis.py

url = f"{API_BASE}/self-select/manage"

The included code can call a provider endpoint for managing self-selected stocks. This matches the stated watchlist-management feature, but it is an account-side mutation capability.

User impactThe skill may add, remove, or otherwise change stock watchlist data when asked to manage self-selected stocks.

RecommendationAsk the agent to confirm before adding, deleting, or changing watchlist or monitoring rules.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

scripts/a_stock_analysis.py

MX_API_KEY = os.environ.get("MX_API_KEY") or os.environ.get("MX_SEARCH_API_KEY")

The code uses an environment-provided API key and sends it as an API credential. SKILL.md discloses that an API key is needed, but the registry metadata lists no required environment variables or primary credential.

User impactThe skill can authenticate to the Eastmoney data service using your configured API key.

RecommendationUse a dedicated, least-privileged API key if available, and confirm which dependent skills receive the key.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

scripts/a_stock_analysis.py

API_BASE = "https://mkapi2.dfcfs.com/finskillshub/api/claw"

The skill sends stock queries, search keywords, screening terms, and watchlist-related requests to an external provider API. This is expected for market-data functionality, but the artifacts do not describe provider data retention or boundary details.

User impactYour stock queries and related requests may be visible to the external data provider.

RecommendationAvoid entering unnecessary personal or sensitive information in stock-analysis prompts, and review the provider's API/privacy terms if this matters to you.