Skillv1.0.0

ClawScan security

Market Data Hub · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 6, 2026, 9:35 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, instructions, and dependencies are consistent with its stated purpose (multi-source Chinese market data + indicators); nothing obviously unrelated or malicious is present, but exercise normal caution when installing third‑party Python packages and running code from an unknown source.
Guidance: This package appears to do what it claims: fetch Chinese market data and compute indicators. Before installing/running: 1) Inspect the strategies (tencent/akshare/baostock) for any custom network endpoints or unexpected behavior; 2) Install inside a fresh virtualenv or sandbox to avoid unreviewed third‑party code affecting your system; 3) Be aware pip packages (akshare, baostock, etc.) will make network calls — run tests offline or in a controlled environment if you are concerned; 4) The example script hard-codes a workspace path and writes CSVs locally — avoid running as root or in sensitive directories; 5) Note provenance: the skill has no homepage and unknown source — if you require stronger assurance, ask the publisher for a repository or sign-off, or run a thorough code review and unit tests in an isolated environment.

Review Dimensions

Purpose & Capability: okName/description, SKILL.md, requirements.txt, and included strategy modules (tencent/akshare/baostock) align: the skill needs akshare/baostock/requests/pandas to fetch and process market data. There are no declared credentials or unrelated environment variables requested.
Instruction Scope: noteSKILL.md limits runtime actions to installing requirements, calling the MarketDataHub API, and running tests. It does not instruct reading arbitrary system files or exfiltrating secrets. Minor note: example.py mutates sys.path to a hard-coded '/root/.openclaw/workspace/skills/market-data-hub/src' and several examples write CSV files locally — benign for local usage but worth reviewing before running in sensitive environments.
Install Mechanism: noteThere is no automated install spec in the registry; SKILL.md instructs pip install -r requirements.txt. Required packages come from PyPI (akshare, baostock, pandas, etc.), which is expected for this purpose but means installing third‑party code that will run on your system. No direct downloads from arbitrary URLs or extract/install steps were found.
Credentials: okThe skill does not request environment variables, credentials, or config paths. That is proportional: AKShare/Tencent/Baostock usage typically does not require user secrets. No hidden credential access detected in the provided files.
Persistence & Privilege: okSkill flags (always: false, disable-model-invocation: false) are normal. The package does not attempt to modify other skills or system-wide agent settings. No persistent privileged behavior detected.