Skillv1.5.3

ClawScan security

Trader Simulator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 16, 2026, 4:43 PM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill mostly matches a trading-simulator description but contains several internal inconsistencies (undeclared API-key dependency, simulated vs. real integrations, duplicate data files and inconsistent dependency names) that warrant caution before installing.
Guidance: This skill appears to implement a multi-agent trading simulator and does not contain obvious exfiltration code, but there are several inconsistencies you should resolve before installing: - SKILL.md requires an 东方财富 (MX) API Key and instructs you to put it into related mx-* skills, but the registry metadata lists no required env vars; confirm where and how keys are stored and that you only put secrets into trusted, audited skills. - The bundled MXTools implementation currently returns simulated responses rather than performing real inter-skill calls; confirm whether, in your OpenClaw runtime, the skill will actually call mx_data/mx_search/etc. (the skill claims to rely on those). If you expect live data, test that it invokes the platform messaging interface rather than the simulated stubs. - There are naming mismatches and duplicates: the code references mx_selfselect/mx_select_stock/stock-monitor-skill in different places, and there are two masters.json files (top-level data/masters.json vs. scripts/data/masters.json). Ask the author to clarify which dependency names are required and which masters.json is authoritative to avoid confusion or accidental data overwrites. - Because this skill produces trading analysis, treat outputs as educational only; it can generate actionable-sounding advice but contains disclaimers. If you will use real account automation tied to these suggestions, audit the dependency skills (mx-data, mx-search, stock-monitor-skill) for how they handle credentials and order execution. If you want to proceed: contact the publisher (or inspect the repository) to confirm the above items are fixed/clarified, and test in a sandboxed environment with no real trading credentials until you verify the integration behavior.

Review Dimensions

Purpose & Capability: noteThe skill's stated purpose (multi-agent trading simulator) matches the code and SKILL.md: it calls other MX skills for market data/search/monitoring and provides built-in 'master' profiles. Asking users to supply an 东方财富 (MX) API key is reasonable for live market data. However, the registry metadata lists no required environment variables while SKILL.md instructs the user to configure an API key — this mismatch is notable.
Instruction Scope: concernSKILL.md instructs the agent to call external skills (mx_data, mx_search, etc.) and to configure an API key in those skills. The shipped implementation (MXTools) currently returns simulated responses rather than performing actual message-interface calls; that is inconsistent with the runtime instruction '必须先调用skill获取数据' and may cause confusion about whether live API calls or only simulated outputs will be used. The skill writes/reads masters.json under its data directory (persisting custom profiles) which is within scope but should be expected.
Install Mechanism: okThere is no external install/download spec (instruction-only install). No remote archives or third-party package installs are requested by the skill itself, lowering install risk. The SKILL.md suggests installing dependent OpenClaw skills via clawhub, which is expected for this functionality.
Credentials: noteThe skill does not declare any required environment variables in the registry metadata, yet SKILL.md tells users to obtain and configure an 东方财富 API Key in related mx-* skills. Also the skill operates by calling other skills which may themselves require credentials; those upstream credential needs are expected but are not reflected in this skill's metadata. This mismatch should be fixed or documented before trusting the package.
Persistence & Privilege: okThe skill does not request elevated privileges (always:false). It persists custom masters to a local data/masters.json inside the skill directory — normal for a skill that supports custom profiles. Autonomous invocation is enabled (default), which is expected; there is no 'always:true' or other unusual persistence.