Skills of A-share market data released by ft.tech.
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears to fetch public A-share market data from disclosed FT domains, with no credentials, persistence, file writes, or account-changing actions.
This looks safe for public market-data queries. Before installing, note that it will run bundled Python scripts and send requested stock symbols or market filters to the disclosed FT API domains; avoid using it for confidential watchlists if that matters to you.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill runs bundled Python code locally to fetch data from the provider APIs.
The dispatcher runs a local Python handler selected by the subskill argument. This is central to the skill and uses an argument list rather than a shell, but it is still local code execution and should remain limited to the documented bundled handlers.
handler = os.path.join(SKILL_ROOT, "sub-skills", subskill, "scripts", "handler.py") ... subprocess.run([sys.executable, handler] + sys.argv[2:], cwd=SKILL_ROOT)
Invoke only the documented subskills. Maintainers could further reduce ambiguity by whitelisting allowed subskill names before launching a handler.
Users have less publisher/source context than they would with a linked repository or homepage, and the runtime requirement is implied rather than declared.
The registry metadata provides limited provenance and does not declare Python as a required runtime, while the skill instructions depend on running Python. The bundled code is present and simple, so this is a transparency note rather than a material concern.
Source: unknown; Homepage: none; Required binaries: none
Review the included files before installing, and prefer a version with declared runtime requirements and a verifiable source or homepage if available.