investment-advisor
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may run the included analysis script locally when a stock-analysis request is made.
The skill expects the agent or user to run included local JavaScript code. This is disclosed and central to the stock-analysis purpose, not hidden or unrelated behavior.
脚本位于 `{Skill Location}/scripts/analyze.mjs`,通过 `node` 执行,输出 JSON 格式数据。Review the included scripts if desired, and run only the documented commands with intended stock symbols.
Stock tickers or portfolio symbols entered for analysis may be visible to the external market-data provider.
The script sends requested stock identifiers to an external finance API. This data flow is disclosed and purpose-aligned, but users should know it occurs.
const url = `https://push2his.eastmoney.com/api/qt/stock/kline/get?secid=${secid}&fields1=...&lmt=${limit}`;Avoid entering sensitive portfolio details beyond the symbols needed, and confirm the external data providers are acceptable for your privacy needs.
A user could rely on generated buy/sell or position-size suggestions for real financial decisions.
The skill intentionally produces trading recommendations and position guidance, while also including a disclaimer. This is purpose-aligned but financially high-impact if over-trusted.
建议: strong_buy / buy / hold / sell / strong_sell ... 建议仓位 ... 本skill提供的所有分析和建议仅供参考,不构成投资建议。
Treat outputs as research aids, verify against independent financial sources, and do not use them as personalized financial advice.
Users may not realize Node.js is required, and the version mismatch makes provenance slightly less clear.
The package declares a Node-based entry point and a package version that differs from the registry version 1.0.0, while the registry metadata lists no required binaries. This is an under-declared prerequisite/provenance inconsistency rather than hidden behavior.
"version": "2.0.0" ... "scripts": { "analyze": "node scripts/analyze.mjs" }Declare Node.js as a required binary and align package and registry versions before publication.