Stock Realtime Brief
AdvisoryAudited by Static analysis on May 7, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could rely too heavily on the generated stop-loss or sell instructions and make financial trades based on imperfect data or assumptions.
The skill is designed to generate specific, executable trading instructions for the user to enter in a brokerage app. This is disclosed and central to the skill, but it could strongly influence financial decisions.
所有硬止损位都要让用户在券商 APP 里设条件单
Treat outputs as analysis aids only, verify prices and logic independently, and consult a qualified financial professional before making real trades.
If the portfolio file is stored in a shared workspace, committed to Git, or pasted into other tools, it could reveal sensitive personal financial holdings.
The skill expects a persistent local portfolio file containing holdings, costs, share counts, and margin debt. The template correctly warns that this is sensitive.
"_security_note": "此文件包含敏感信息,请加入 .gitignore(建议命名为 my_portfolio.json)"
Keep portfolio files outside shared folders, add them to .gitignore, avoid including unnecessary account identifiers, and review what data is shared with the agent.
Stock codes used for announcement searches may be sent through the configured search tool, and results depend on that tool’s behavior and trustworthiness.
The announcement checker calls an external gsk search CLI when available. It uses an argument list rather than shell execution and is purpose-aligned, but it is still an external tool invocation.
subprocess.run(["gsk", "search", query, "--output", "json"], capture_output=True, text=True, timeout=timeout)
Use the --skip-announce option if you do not want announcement searches, and only enable gsk in environments where you trust its configuration and data handling.
Dependency updates could change behavior or introduce upstream supply-chain risk even though these packages are expected for the skill’s purpose.
The Python dependencies are declared as minimum-version ranges without a lockfile in the provided manifest, so future installs may resolve newer package versions.
akshare>=1.12.0 pandas>=2.0.0 requests>=2.28.0
Install in a virtual environment, consider pinning exact versions, and review dependency updates before using the tool for important decisions.
Third-party data providers may see the stock codes being queried, which can reveal part of a user’s watchlist or holdings.
The skill contacts third-party finance data endpoints to retrieve stock quotes and historical K-line data. This is expected for real-time stock analysis, but stock symbols from user input or portfolio files leave the local environment.
SINA_REALTIME_BASE = "https://hq.sinajs.cn/list=" TENCENT_HISTKLINE_BASE = "https://web.ifzq.gtimg.cn/appstock/app/fqkline/get"
Use only with stock codes you are comfortable querying through public finance data providers, and avoid including more portfolio detail than needed.