Skillv1.0.0

ClawScan security

Xia China Stock Analysis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 15, 2026, 1:57 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The package appears to implement the advertised China stock analysis functionality, but there are mismatches and optional behaviors (local subprocess calls, undeclared binaries, and truncated/unfinished code paths) that warrant caution before installing or running it.
Guidance: This package generally matches its description (stock indicators, multi-source data, reports) but exercise caution: 1) SKILL.md and the registry disagree about installation — review and run pip installs yourself rather than trusting an automated installer. 2) news_search.py may call local binaries (mcporter, node) if present—these are not declared requirements; consider running in an environment without those tools if you want to avoid that code path. 3) The code performs web requests (Sina/EastMoney/Akshare/Yahoo) and writes logs locally—ensure this network access and file writes are acceptable. 4) Some source files appear incomplete/truncated (potential runtime errors); test in a sandbox before adding to production cron jobs. 5) If you proceed, review the code paths that call subprocess.run, confirm what external commands they would invoke on your machine, and run the skill in a restricted/sandboxed environment (or inside a container) to limit blast radius.

Review Dimensions

Purpose & Capability: noteThe code and SKILL.md align with a Chinese A-share/HK stock analysis toolkit (technical indicators, multi-source data, news aggregation, watchlist). However there is an inconsistency: the registry metadata lists this as an instruction-only skill with no install spec, while SKILL.md includes a pip install step and the repository contains multiple Python scripts — the packaging/installation story is unclear but not necessarily malicious.
Instruction Scope: concernSKILL.md instructs running multiple local scripts (technical_indicators.py, integrated_analysis.py, news_search.py, etc.). Some modules (news_search.py) invoke local system binaries via subprocess (mcporter, node) and call external web APIs (Sina, EastMoney, Akshare, Yahoo). Those external command usages are not documented as required binaries in the skill manifest. The scripts also write log files under a local memory/analysis_logs path. Executing the skill will perform network traffic and may call local binaries if present.
Install Mechanism: noteNo high-risk install (no arbitrary URL downloads); SKILL.md recommends pip installing common packages (pandas, numpy, requests) which is expected. The registry however claimed 'no install spec' while SKILL.md provides a pip install step — a mismatch that should be resolved. There is no evidence of downloads from untrusted URLs or archive extraction in the provided files.
Credentials: okThe skill does not request environment variables or secrets. Its network usage is consistent with its stated purpose (fetching market data and news). That said, the code optionally invokes local tools (mcporter, node) which are not declared; this is an implementation detail rather than a credential/secret request.
Persistence & Privilege: okThe skill does not request persistent elevated privileges and 'always' is false. It writes logs and watchlist data to local paths within the project (normal for this kind of tool) and does not appear to attempt to modify other skills or system-wide agent configuration.