Back to skill
Skillv1.0.0
ClawScan security
场外基金查询 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 10, 2026, 2:05 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent for a fund-lookup tool: it runs a local Python script that queries public fund APIs and does not request credentials or unusual system access.
- Guidance
- This skill runs a local Python 3 script (bundled) that makes outbound HTTP requests to public fund-data endpoints (fund.eastmoney.com, api.fund.eastmoney.com, fundgz.1234567.com.cn). It does not request credentials or read local files. Before installing: ensure you have/allow python3, confirm your environment permits outbound requests to those domains, and be aware the package source is 'unknown' with no homepage—if you require provenance, ask the publisher for a source repository or verify the script independently. Also note the small metadata mismatch: SKILL.md requires python3 while registry metadata lists no required binaries.
Review Dimensions
- Purpose & Capability
- noteThe skill's name/description (fund lookup) matches the included Python script which fetches fund data from public Eastmoney / 1234567 endpoints. Minor inconsistency: the registry metadata lists no required binaries, while SKILL.md declares a requirement for python3; otherwise all required artifacts are proportional to the stated purpose.
- Instruction Scope
- okSKILL.md instructs the agent to run the bundled script with a fund code and optional command. The script only performs HTTP requests to public fund data endpoints, parses responses, and prints formatted output. It does not read other files, access environment variables, or transmit data to unknown endpoints.
- Install Mechanism
- okNo install spec is present (instruction-only with one bundled script). Nothing is downloaded or written to disk beyond running the included script, so install risk is low.
- Credentials
- okThe skill requires no credentials or environment variables. The bundled script performs network requests only to fund data endpoints and does not access unrelated secrets or config paths.
- Persistence & Privilege
- okThe skill is not always-enabled and does not modify other skills or system configuration. It runs only when invoked and has no elevated persistence requirements.