A股-股市分析和投资顾问(安西军项目)
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a mostly coherent read-only stock data and analysis skill, but users should be aware it uses a provider API key, external search/forum content, and lightly scoped sub-agent/notification wording.
This skill appears safe to use for read-only public stock data analysis if you configure the API key through a secret manager and do not paste it into chat. Treat web/forum sentiment and API-provided text as untrusted context, verify financial conclusions independently, and require explicit confirmation before any notification or cross-agent sharing.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the API key is exposed, someone else may be able to use the user's stock-data API access or quota.
The skill needs a provider API key to query the stock-data service. This is expected for the purpose, and the same file says not to echo, request, store, or output the key.
需 TAX_API_KEY 鉴权;仅用于公开历史数据查询... Header: TAX-API-Key: <你的授权码>
Configure TAX_API_KEY only through the platform's secret/env-var mechanism, do not paste it into chat, and rotate it if it may have been exposed.
Provider-returned text could influence the analysis or wording if the agent treats it as instructions rather than data.
The skill tells the agent to integrate prompts or hints returned by the API into LLM analysis. That is purpose-aligned if treated as data, but remote text should not override the user's request or the skill's safety boundaries.
对上述数据并且**集成**接口返回的提示,用LLM进行分析
Treat API-returned hints as untrusted source content, preserve the /stocks-only and no-secrets/no-trading boundaries, and cite or summarize such content rather than following it as instructions.
Stock analysis may be affected by unreliable public commentary or promotional/rumor content.
The skill may use public web, forum, and news/search results as analysis context. This is relevant to stock sentiment analysis, but such content can be noisy, biased, or intentionally manipulative.
利用llm的搜索功能去收集各大论坛,股吧等相关信息
Ask for sources, separate facts from sentiment, and verify important conclusions against primary market or company disclosures.
If the host agent has notification or multi-agent tools, query details or reports could be routed beyond the main chat unless the agent keeps those actions user-directed.
The runtime workflow mentions sub-agent processing and notification push without defining recipients, permissions, or data boundaries. No code implements this, so it is a note rather than a demonstrated unsafe behavior.
默认是以下1,2,3,4,5步以子代理的方式进行处理... 8. 通知推送。
Keep results in the chat by default, ask before sending notifications, and do not pass API keys or private portfolio details to other agents or channels.