Skillv1.0.0

ClawScan security

futures-panda · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 15, 2026, 4:35 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is a straightforward AKShare wrapper for futures data: its code, instructions, and dependencies align with the stated purpose and request no unrelated credentials or privileged access.
Guidance: This skill appears to do what it claims: wrap AKShare to fetch futures/option data and provide a CLI returning JSON. Before installing: (1) run it in an isolated Python virtualenv to limit side effects; (2) confirm you are comfortable installing akshare and pandas from PyPI and check the installed akshare version and its maintainers (the SKILL references akshare GitHub/docs); (3) review the included script if you need to ensure no hidden network endpoints or logging to external services (the script shown only calls AKShare APIs and prints JSON); (4) note the package source/homepage is not provided by the registry entry and the author contact in README is a personal email — if provenance matters, ask the maintainer for a canonical source (repo or homepage) before using in production. If you want extra caution, run the script locally and inspect network traffic or run it in a sandbox before granting any broader agent autonomy.

Purpose & Capability: okName/description advertise AKShare-based futures/option market data. The included script and SKILL.md only import and call AKShare functions (akshare, pandas) to fetch market data — these requirements match the stated purpose and are proportionate.
Instruction Scope: okRuntime instructions and the script focus on installing akshare/pandas and calling specific AKShare APIs. They do not read system files, environment secrets, or send data to unexpected external endpoints; they return JSON-formatted data from public finance sources as claimed.
Install Mechanism: noteThere is no registry-level install spec, but SKILL.md includes an OpenClaw 'install' metadata entry that requests pip installing akshare>=1.12 and pandas>=1.5. Installing from PyPI is expected for this skill and is low risk; these are well-known packages. Recommend verifying package versions and using a virtual environment.
Credentials: okThe skill declares no required environment variables, no credential access, and the code does not reference any secrets or unrelated env vars. This is appropriate for a data-fetching wrapper.
Persistence & Privilege: okalways is false and the skill does not request persistent system-wide changes or modify other skills. Model invocation is enabled by default (normal); there are no additional elevated privileges requested.