Skillv1.0.0

ClawScan security

股票打板筛选 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 1, 2026, 5:39 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions align with a local command-line stock screener that queries a public market API; the main issues are minor inconsistencies in documentation (claimed data source) and packaging metadata.
Guidance: This skill appears to be what it claims: a simple CLI that fetches market data from a public API and prints screened results. Before installing: 1) Note the documentation mismatch — SKILL.md says Sina Finance but the code calls Eastmoney; confirm you are comfortable with Eastmoney as the data provider. 2) Review package.json if you plan to publish or install via npm (the 'bins' field is nonstandard). 3) If you require strict provenance, review the code locally (bin/board.js is short) to ensure no network calls are added in future updates. 4) Be aware the tool needs outbound network access; ensure this aligns with your environment and any data-provider terms of service.

Review Dimensions

Purpose & Capability: noteThe skill's code implements an A-share screening tool (涨停/强势/创业板/科创板) consistent with the description. However, SKILL.md states the data source is '新浪财经' while bin/board.js actually queries push2.eastmoney.com (Eastmoney). This is an inconsistency in documentation but does not appear to change functionality.
Instruction Scope: okSKILL.md instructs running the local 'board' CLI with simple arguments; the implementation only performs HTTPS GET requests to a public market API and prints results. The instructions do not ask the agent to read unrelated files, environment variables, or send data to unexpected endpoints. The only scope issue is the mismatched stated data source vs actual endpoint.
Install Mechanism: okNo install script is provided (instruction-only install), and included code is a small Node CLI that makes outgoing HTTPS requests. There are no downloads from arbitrary URLs or archive extraction. package.json uses a nonstandard 'bins' array instead of the usual 'bin' field, which is a packaging metadata issue but not a code-safety concern.
Credentials: okThe skill declares no required environment variables, no credentials, and the code does not access process.env. It only needs outbound network access to Eastmoney's public API, which is proportionate to its purpose.
Persistence & Privilege: okalways is false and the skill does not request elevated or persistent platform privileges. It does not modify other skills' configs or system-wide settings.