Skillv1.0.0

ClawScan security

Quant-Expert · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 12, 2026, 8:49 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, requirements, and runtime instructions are consistent with a Tushare-based Chinese A‑share quantitative analysis tool; nothing requests unrelated credentials or surprising install behavior, though the shipped scripts contain some apparent truncation/typos that will likely cause runtime errors and should be fixed before use.
Guidance: This skill appears coherent for Tushare-based Chinese market analysis and legitimately needs only your TUSHARE_TOKEN and the standard Python packages (tushare, pandas, requests). Before enabling: 1) Ensure you inject the TUSHARE_TOKEN via OpenClaw config rather than hardcoding it; 2) install required Python packages from trusted sources in an isolated environment; 3) review and fix the shipped scripts — the provided file listing shows truncations/typos that will likely crash (fix 'star' → 'start', complete truncated functions/lines); 4) run the scripts in a sandbox first to confirm behavior; 5) be aware the holiday helper calls timor.tech and other scripts will call Tushare (both are networked APIs), so the token and any output could be exposed to those services. If you want higher assurance, request a complete, non‑truncated copy of the code or ask the publisher for checksum-signed releases.

Review Dimensions

Purpose & Capability: okName/description (A‑share quant analysis using Tushare and a holiday helper) matches the actual artifacts: Python scripts that call Tushare Pro and a holiday API. The single main credential (TUSHARE_TOKEN) is exactly what this skill needs. Required binaries (python) and Python packages (tushare, pandas, requests) are appropriate for the stated purpose.
Instruction Scope: noteSKILL.md keeps scope focused on Tushare queries, screening, diagnosis, and optional event research for interpretation. It instructs the agent not to auto-install packages and to use Tushare as primary numeric source. It allows adding web evidence for interpretive tasks (which is reasonable), but does not hardcode external data sinks. Note: several bundled scripts in the provided listing appear truncated or contain obvious typos (e.g., 'star' instead of 'start' in holiday_helper.trading_days_range, unfinished lines like 'wi' in stock_diagnosis). Those are functional/integrity issues that will cause runtime failures unless corrected.
Install Mechanism: okNo install spec is provided (instruction-only install), so nothing is downloaded or written by the registry installer. This minimizes supply-chain risk. The scripts require standard Python packages but explicitly avoid auto-installation, which aligns with the SKILL.md rules.
Credentials: okOnly the Tushare credential is declared as primary (TUSHARE_TOKEN). The helper also looks for TUSHARE_PRO_TOKEN as an alternative, which is reasonable. No unrelated secrets or system config paths are requested. The skill accesses network APIs (Tushare via tushare library and timor.tech for holidays), which is expected for data retrieval.
Persistence & Privilege: okalways is false and model invocation is allowed (default). The skill does not request permanent elevated presence, nor does it indicate it will modify other skills or global agent configuration. Nothing in the package attempts to persist credentials to unexpected locations.