Back to skill
Skillv2.0.0
ClawScan security
China Stock Main Force · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 14, 2026, 7:36 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and requirements are consistent with its stated purpose (building a candidate pool from Eastmoney public data); it makes straightforward HTTP requests to a single public API and does not request credentials or unusual system access.
- Guidance
- This skill appears coherent and limited in scope: it runs a bundled Python script that fetches real-time data from Eastmoney and returns a JSON candidate list. Before installing, ensure you trust outbound network access to https://push2.eastmoney.com and are comfortable with the agent running Python scripts (the skill requires python3/python on PATH). No credentials are requested and no local files are read or written by the script. Remember outputs are market-data-derived suggestions and not financial advice. If you have policies restricting agents making external HTTP calls, block/monitor that traffic or run the script in a controlled environment first.
Review Dimensions
- Purpose & Capability
- okName/description (selecting A-share main-force candidates) align with the included Python script and SKILL.md. Required binaries (python3/python) match the script, and there are no unrelated environment variables or config paths.
- Instruction Scope
- okSKILL.md instructs the agent to run the included Python script and optionally use web_search/web_fetch for supplementary context. The script only performs HTTP GETs to Eastmoney, parses JSON, and prints results — it does not read arbitrary files, access other env vars, or transmit data to unexpected endpoints.
- Install Mechanism
- okNo install spec is provided (instruction-only with an included script). Nothing is downloaded or extracted at install time; risk from the install mechanism is minimal.
- Credentials
- okThe skill requests no environment variables or credentials. The script makes outbound requests to a public Eastmoney API endpoint — this is proportionate to the stated purpose.
- Persistence & Privilege
- okalways is false and the skill does not request any persistent system-wide privileges or modify other skills' configurations. Normal autonomous invocation is allowed (platform default) but not a special privilege here.