ClawHub
Back to skill
v1.0.0

A Stock Daily Express

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:36 AM.

Analysis

The skill mostly matches its stock-report purpose, but it overstates built-in fact-checking/accuracy and requires local Python execution with an unpinned data package.

GuidanceReview this skill before installing. It appears to generate A-share market summaries as advertised, but it runs local Python via a shell command and depends on the external akshare package. Do not rely on the advertised fact-checking/accuracy guarantee; verify financial data manually before publishing or using it for investment decisions.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
| ✅ **事实核查** | 内置数据验证,保证数据准确 |

The supplied JavaScript fetches akshare data and formats a report, but it does not implement an independent fact-checking step or use the optional ai-fact-checker dependency. This overstates reliability for financial content that users may publish.

User impactA user could rely on a claimed accuracy guarantee and publish incorrect or unverified stock-market content.
RecommendationTreat generated reports as drafts, verify the market data against trusted sources, and remove or correct the fact-checking/accuracy guarantee unless implemented.
Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
scripts/daily-generator.js
const output = execSync(`python -c "${pythonCode.replace(/"/g, '\\"')}"`, { encoding: 'utf8', maxBuffer: 1024 * 1024 * 2 });

The skill runs a local shell command to execute inline Python. The Python code is static and purpose-aligned with fetching market data, but users should notice that installing/using the skill involves local command execution.

User impactUsing the skill may run local Python code and contact external market-data services through akshare.
RecommendationInstall only if you are comfortable with local Python execution, and review the script and Python environment before use.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
- `akshare` - 财经数据接口(需要 `pip install akshare`)

The skill relies on an external Python package installed outside package.json and without a pinned version. This dependency is expected for the stated purpose, but its provenance/version is not constrained by the artifacts.

User impactThe behavior and safety of the skill partly depend on the akshare package installed in the user's Python environment.
RecommendationInstall akshare from a trusted package index, consider pinning a known-good version, and keep the Python environment isolated if possible.