Fund Daily Report

WarnAudited by ClawScan on May 15, 2026.

Overview

Review recommended: the skill mostly matches its fund-report purpose, but its script embeds a hardcoded JQData phone/password credential that users cannot control.

Do not install as-is unless you have reviewed and removed the hardcoded JQData credential. If you use this skill, run it in a virtual environment, pin dependencies, provide any required data-provider credentials yourself through documented environment variables, and only enable daily Heartbeat automation if you want scheduled external API access.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

High

#ASI03: Identity and Privilege Abuse

What this means

Installing or running the skill could use and expose an embedded JQData account credential, and users have no clear control over whose account is used or what access is granted.

Why it was flagged

The script contains a hardcoded third-party service username/password and will authenticate to JQData if the fallback path runs, despite the skill not requiring a user-provided credential.

Skill content

import jqdatasdk as jq
        jq.auth('13918681158', 'Yindb1158')

Recommendation

Remove the hardcoded credential, rotate the exposed password, and require users to provide their own JQData credentials through documented environment variables only if the fallback is needed.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

The behavior of the skill depends on external Python packages that may change over time or have their own security posture.

Why it was flagged

The skill relies on manually installed, unpinned third-party packages. This is purpose-aligned for a market-data report but means package provenance and version changes matter.

Skill content

pip install akshare jqdatasdk pandas numpy

Recommendation

Install in a virtual environment, use trusted package sources, and pin/review dependency versions before routine use.

Info

#ASI10: Rogue Agents

What this means

If enabled, the skill may run every day and make external market-data API calls without a fresh manual prompt each time.

Why it was flagged

The README suggests daily automatic execution. This is coherent for a daily report, but it is still scheduled autonomous activity that should be user-controlled.

Skill content

- 建议配合 OpenClaw Heartbeat 每日自动运行

Recommendation

Only enable scheduled execution deliberately, review logs, and disable the schedule if you do not want automatic daily network activity.