Skillv1.1.0

ClawScan security

缠论技术分析 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 7, 2026, 2:54 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (Chan theory technical analysis): it fetches market data via yfinance, runs local analysis with numpy, and prints results; it does not request secrets or perform unrelated actions.
Guidance: This skill appears coherent with its stated purpose, but consider the following before installing: - Run the code in a virtual environment (venv/conda) rather than using '--break-system-packages' to avoid altering system Python packages. - Installing yfinance and numpy pulls packages from PyPI; if you need higher assurance, review the specific package versions or install from a pinned requirements file. - The script fetches market data from Yahoo Finance (network access). If you need offline or private-data assurance, avoid running it with sensitive network environments. - The tool prints analysis and is not a substitute for professional trading advice; verify outputs and test with known symbols. - If you want extra safety, review scripts/analyze.py yourself (it's included) to confirm no unwanted behavior, or run it in an isolated sandbox before use.

Review Dimensions

Purpose & Capability: okName/description describe Chan-theory analysis for A-share/HK/US/crypto. The code and SKILL.md use yfinance and numpy to fetch historical price data and compute indicators—these dependencies are coherent and expected for the stated functionality.
Instruction Scope: okSKILL.md instructs installing yfinance and numpy and running scripts/analyze.py. The script only fetches historical data via yfinance and performs local computations and stdout printing; it does not read unrelated files, environment variables, or send data to unexpected endpoints. Note: it makes network requests to Yahoo Finance (via yfinance).
Install Mechanism: noteThere is no registry install spec (instruction-only), which is low-risk. SKILL.md asks users to run 'pip3 install yfinance numpy --break-system-packages' — this installs packages from PyPI (supply-chain risk) and the '--break-system-packages' flag can affect system-managed Python packages; recommend using a virtualenv or isolated environment instead of breaking system packages.
Credentials: okThe skill requires no environment variables, credentials, or config paths. The code does not attempt to access secrets. The only external dependency is network access to fetch market data from Yahoo Finance.
Persistence & Privilege: okSkill does not request permanent/always-on inclusion, does not modify other skills or system settings, and does not store credentials. Autonomous invocation is allowed by platform default but is not combined with other concerning privileges here.