Skillv1.0.0

ClawScan security

A Stock Screener · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 8:26 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are coherent with a stock‑screening tool that uses AkShare; nothing requests unrelated credentials or installs unexpected components, but the script contains many simplified placeholders and is not production‑grade — review before trusting investment decisions.
Guidance: This skill appears to be what it says — a simple A‑share screening tool that relies on AkShare and pandas. Before installing or running: 1) Review the included Python script yourself (it contains many simplified placeholders and skips detailed financial checks), 2) run it in an isolated environment (virtualenv/container) and inspect network activity — AkShare scrapes/queries public data providers (Eastmoney, wnencai, etc.), so confirm this is acceptable under your environment and the providers' terms, 3) pip install only the listed dependencies from PyPI and verify their versions, 4) do not treat the output as investment advice — the script explicitly skips rigorous financial validation, and 5) if you plan to automate runs or integrate with trading, add proper error handling, rate limiting, and audit logging. If you want higher assurance, ask the maintainer for provenance or a signed release; the skill's source is 'unknown' and a maintainer email/contact is not provided.

Review Dimensions

Purpose & Capability: okName/description (A 股五步量化选股) match the included assets: an SKILL.md describing the five‑step process and a Python script that calls AkShare and pandas to fetch market and historical data and export Excel. Required dependencies mentioned (akshare, pandas, numpy, openpyxl) are appropriate and expected for this purpose.
Instruction Scope: noteSKILL.md instructs the agent/user to run the provided script and to pip install standard Python packages. The runtime instructions do not attempt to read unrelated files, environment variables, or secret stores. Note: the script itself contains many simplified/placeholder steps (head() sampling, comments that detailed checks are skipped, and recommendations to use third‑party terminals like 同花顺 for deeper checks). Those simplifications mean the tool does not fully implement the claims in the description — not a security problem but a functionality caveat.
Install Mechanism: okNo install spec is included. The SKILL.md recommends pip installing well‑known packages from PyPI (akshare, pandas, numpy, openpyxl). This is a standard, low‑risk approach. There are no downloads from arbitrary URLs or archive extraction instructions in the skill files.
Credentials: okThe skill does not request any environment variables, credentials, or config paths. All network access is via AkShare/library calls (which will fetch data from public financial data sites) — this is proportionate to a data‑driven screener. No unrelated secrets are requested.
Persistence & Privilege: okThe skill is not always‑enabled and does not request elevated or persistent platform privileges. It does not attempt to modify other skills or agent configuration. Autonomous invocation is allowed by platform default (disable-model-invocation=false) but that is normal; combined with the lack of sensitive access there is no additional concern.