Back to skill
Skillv2.0.0
ClawScan security
China Stock Sector Strategy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 14, 2026, 7:36 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements line up with its stated purpose: it runs a Python script that fetches public sector snapshots from Eastmoney and returns JSON; it does not request extraneous credentials or access.
- Guidance
- This skill runs a bundled Python script that queries Eastmoney public API endpoints and returns JSON-formatted sector and concept snapshots; it does not ask for credentials or read local secrets. Before installing, confirm you are comfortable with the agent making outbound HTTP requests to eastmoney.com (and any supplemental web_fetch/web_search calls) and that this complies with your policies or network rules. Also remember outputs are informational only and not investment advice. If you need stricter controls, restrict network access or review the script source before enabling autonomous invocation.
Review Dimensions
- Purpose & Capability
- okName/description match the included Python script and SKILL.md. The only required runtime is Python and the script calls Eastmoney public APIs to produce sector/concept snapshots — this is proportionate to the claimed functionality.
- Instruction Scope
- okSKILL.md directs the agent to run the bundled script and optionally use web_search/web_fetch for supplemental info. The script only issues HTTP GETs to Eastmoney public endpoints and prints JSON; it does not read local files, environment secrets, or transmit data to unexpected endpoints.
- Install Mechanism
- okNo install spec; the skill is instruction-only with a small included script. Nothing is downloaded or extracted at install time and no third-party packages or external installers are invoked.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The hard-coded 'ut' parameter in the script is part of the API query and is not a user secret; no sensitive env access is requested.
- Persistence & Privilege
- okalways is false and the skill is user-invocable (defaults). It does not modify other skills or system-wide config and does not request permanent presence or elevated privileges.