stock-invest-master
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for stock analysis, with no evidence of malicious behavior, but users should notice its external financial data calls, optional API-key use, manual dependencies, and local report server.
Before installing, be comfortable with the skill sending stock-analysis queries to external financial/search providers, installing optional Python dependencies if you run the helper scripts, and storing reports under ~/.stock-invest-master. Start the report server only when you need it, keep API keys limited to market-data providers, and independently verify any investment conclusions.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Stock tickers, company names, and research queries may be sent to external data/search providers.
The skill explicitly directs the agent to call external financial/search tools to collect market and company data.
数据源:A/港股:`neodata-financial-search` ... 美股:`financial-datasets` ... `WebSearch` ... 检索:调用工具获取财务、公告、资金流向数据。
Use the skill for public-market research inputs, avoid adding unrelated private information to queries, and verify important figures against primary sources.
If Alpha Vantage is used, the agent or user may need to handle a provider API key.
The helper script documents optional use of a third-party API key, while registry requirements do not declare required credentials.
Alpha Vantage (可选): 免费API,需申请 apikey
Use only a low-privilege market-data API key, do not provide brokerage/login credentials, and avoid storing keys in generated reports or prompts.
Manual package installation may pull current PyPI versions that were not pinned or reviewed in the skill metadata.
The script documents manual installation of unpinned Python packages, but the registry install spec declares no install mechanism.
依赖: pip install yfinance requests
Install dependencies in an isolated environment and prefer pinned, reviewed versions if you plan to run the helper scripts.
When viewing reports, browser rendering may depend on external CDN code.
The local report viewer is documented as relying on a CDN-hosted JavaScript library for Markdown rendering.
Automatic Markdown rendering via marked.js (CDN)
Prefer a pinned/local Markdown renderer or verify the CDN source before using the report viewer for sensitive personal investment notes.
Generated investment reports may be accessible through the local report server while it is running.
The included server can browse and serve generated report files from the user's report directory over HTTP.
Serve Stock Invest Master reports with Markdown rendering and directory browsing ... REPORTS_DIR = os.path.expanduser("~/.stock-invest-master") ... DEFAULT_PORT = 8888Run the server only when needed, keep it bound to localhost if possible, avoid placing unrelated sensitive files in the report directory, and stop it after viewing reports.
A report server could continue running after the analysis task if started in daemon mode.
The report server includes daemon/PID-file behavior, indicating it may be run as a longer-lived background service.
PID file management for daemon operation
Make server startup explicit, document/confirm how to stop it, and check for a running process if reports should no longer be served.