Stock Heat Rank
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s stock-ranking purpose is coherent, but it depends on running a large obfuscated JavaScript helper that the documentation describes as non-obfuscated, so it should be reviewed before use.
Before installing, review or sandbox lib/hexin_v.js, make sure the helper file comes from a trusted source, avoid running the compiled binary from untrusted directories, and pin/audit the npm dependencies. The stock-data collection behavior itself appears purpose-aligned, but the obfuscated helper and documentation mismatch warrant caution.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user would be running hard-to-review third-party JavaScript as part of a stock-ranking query.
The runnable helper uses obfuscation-style variable names, string tables, and decoder/control-flow patterns. Because this large helper is sourced as extracted frontend code and is executed locally, its provenance and behavior are harder to audit.
var a0_0x4f9ee0=a0_0x45b5;(function(_0x2d51df,_0xd5e931){...while(!![]){try{...}}}(a0_0xe51c,0xa810e)); ... function a0_0xe51c(){var _0x2ddd40=[...]Use only if you trust the publisher and helper provenance. Prefer an audited, minimal signer implementation, include source/version provenance and hashes, and keep a reviewed copy of the helper.
Users may believe the helper is straightforward bundled code when it is actually difficult to review.
This assurance conflicts with the obfuscation patterns visible in the provided lib/hexin_v.js artifact. That mismatch could cause users to over-trust code that is difficult to inspect.
代码经过压缩(非混淆)... / Code is minified (not obfuscated), standard frontend bundling format
Correct the documentation to disclose the helper’s obfuscated/minified nature and provide verification guidance, source provenance, and checksums.
If the expected helper is missing or the working directory contains an unintended replacement, the skill could execute a different local JavaScript file.
The Go program automatically executes the JavaScript helper with Node, and if the helper is not found beside the executable it falls back to a relative lib/hexin_v.js path.
jsPath := filepath.Join(exeDir, "lib", "hexin_v.js") ... jsPath, _ = filepath.Abs("lib/hexin_v.js") ... cmd := exec.Command("node", c.jsPath, timestamp)Bundle the helper beside the executable, verify its checksum before execution, avoid current-directory fallback, and run the skill only from a trusted directory.
A future install may fetch dependency versions different from those the author tested.
The skill asks users to run npm install for purpose-aligned JavaScript dependencies, but the semver ranges allow newer dependency versions and no lockfile is provided in the manifest.
"dependencies": { "jsdom": "^24.0.0", "canvas": "^2.11.2" }Pin dependencies with a lockfile and install from a trusted package registry.
The skill may interact with third-party services in ways that can be blocked or may conflict with those services’ access rules.
The skill openly uses a signature helper to access Wencai data through anti-scraping checks. This is aligned with the data-collection purpose but is a behavior users should understand.
用于通过其API的反爬验证 / used to pass anti-scraping verification
Confirm that this data access is acceptable for your use case and be prepared for the provider to block or change the API.