Back to skill
Skillv2.0.0
ClawScan security
China Stock Lowpricebull · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 14, 2026, 7:37 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are coherent with its stated purpose (a public-source A‑share selector using Eastmoney public API); it only needs Python and makes outbound requests to Eastmoney's public API.
- Guidance
- This skill appears to be what it says: a public-source stock selector that calls Eastmoney's public API and returns JSON. Before installing, verify you are comfortable allowing the agent to run the included Python script (it will make outbound HTTP requests to push2.eastmoney.com). There are no required credentials and no hidden endpoints, but outputs are informational only and not investment advice. If you need extra assurance, inspect the small Python file locally before running or run it in an isolated environment. If you want to restrict network access, run it offline or in a network-restricted sandbox.
Review Dimensions
- Purpose & Capability
- okName/description match the included script and runtime instructions. The script queries Eastmoney's public push2 API to implement the stated lowpricebull/smallcap/profitgrowth selectors. Required binaries (python/python3) are appropriate and proportional.
- Instruction Scope
- okSKILL.md instructs the agent to run the included Python script and optionally use web_search/web_fetch for supplementary info. The instructions do not ask the agent to read unrelated files, access secrets, or transmit data to unexpected endpoints; network access is limited to the public Eastmoney API and optional web fetch/search.
- Install Mechanism
- okNo install spec — the skill is instruction+script only. No archives or external installers are fetched. This minimizes disk-write/third-party install risk.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. That is proportionate for a public-data stock selector. Nothing in the code attempts to read env vars or other secrets.
- Persistence & Privilege
- okalways is false and the skill does not request persistent/system-wide changes. It only runs the included script when invoked and does not modify other skills or agent config.