Vnstock Free Expert
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (unicode-control-chars); human review is required before treating this skill as clean.
Install only if you intend to run Vnstock-based Vietnam stock analysis. Confirm Python, vnstock, and pandas are installed; use a dedicated output folder; store only the Vnstock API key if needed; avoid passing secrets on the command line; and review generic method calls or downstream handoff bundles before allowing the agent to run them. ClawScan detected prompt-injection indicators (unicode-control-chars), so this skill requires review even though the model response was benign.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could call Vnstock methods outside the prebuilt pipeline, potentially making broader provider requests than expected.
The skill exposes a broad generic entry point into Vnstock methods. This is disclosed and purpose-aligned, but users should ensure it is only used for requested data operations.
This script supports dynamic invocation by class name and method name with JSON kwargs.
Prefer the predefined pipeline for standard analysis; when using generic invocation, confirm the class, method, source, symbols, and request volume first.
A Vnstock API key may be read from a local .env file or supplied on the command line.
The skill handles an optional provider API key. This is expected for Vnstock use, but credentials are sensitive and the registry metadata does not declare a primary credential.
Skill-local key file: `.env` ... Variable: `VNSTOCK_API_KEY` ... You can override per run with `--api-key "..."`.
Use only the minimum Vnstock key needed, prefer a local .env over command-line secrets, and avoid adding unrelated brokerage or exchange credentials.
Copying the recipe directly may fail or point to a nonexistent path on the user's machine.
The invocation recipes include a developer-local absolute path. This suggests packaging/portability cleanup is needed, though it does not show hidden installation or remote execution.
python /Users/teahan/Projects/vscode-workspace/vn_stock_skill/skills/vnstock-free-expert/scripts/invoke_vnstock.py
Use the script path from the installed skill location, and verify dependencies such as vnstock and pandas before running.
Old or tampered local CSV/JSON outputs could change analysis results without being obvious.
The workflow intentionally persists intermediate data for reuse. This is useful and purpose-aligned, but stale or modified cached files could affect later rankings.
Save intermediate artifacts (`universe`, `market_data`, `fundamentals`) for resume.
Keep outputs in a dedicated directory, check timestamps, and rebuild cached artifacts when changing the universe, source, or analysis date.
Ticker data, computed metrics, and notes may be reused by other skills in the agent session.
The skill discloses a downstream handoff bundle for other skills. The data appears to be public market/financial data, but the inter-skill boundary is not further specified.
This bundle is designed to feed `equity-valuation-framework` and `portfolio-risk-manager`.
Review the handoff bundle before reuse, and avoid including private portfolio details unless the user explicitly requests that.