ClawHub
Back to skill
v1.0.0

A股业绩快报查询

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:44 AM.

Analysis

The skill appears to do what it says: query a declared stock-finance API for one A-share code and return a Markdown table, with no evidence of hidden credential use, persistence, or destructive behavior.

GuidanceThis looks safe for its stated purpose. Before installing, be aware that stock-code queries go to the configured market data service and that the skill has limited public provenance information.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
handler.py
BASE_URL = os.environ.get("BASE_URL", "https://market.ft.tech").rstrip("/") ... url = f"{BASE_URL}/data/api/v1/market/data/finance/stock-performance-express?{params}"

The handler sends the validated stock code and paging parameters to an external API endpoint. This is expected for the stated finance-query purpose and is disclosed, but it is still network sharing of the user's requested stock code.

User impactThe queried stock code is sent to the configured market data API; the artifacts do not show local file access or credential transmission.
RecommendationUse the default API or only override BASE_URL with a trusted endpoint.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Source: unknown; Homepage: none

The skill's origin is not linked to a public source or homepage. The included code is straightforward and self-contained, but provenance is less verifiable.

User impactIt may be harder to confirm who maintains the skill or where updates come from.
RecommendationReview the bundled handler.py before installing if provenance is important, and prefer skills with clear source links when available.