Back to skill
Skillv1.0.1
ClawScan security
Skills of A-share announcement data released by ft.tech. · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 11:32 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill's code, instructions, and required resources are coherent with its stated purpose of querying and downloading A‑share announcements and reports from market.ft.tech.
- Guidance
- This skill appears to do exactly what it claims: query market.ft.tech endpoints and optionally save PDFs. Before installing, confirm you trust the source (market.ft.tech) and are comfortable the agent may write downloaded PDFs into the skill directory (handlers enforce a same-directory restriction). If you want extra safety, run the skill in an isolated environment or container and review the included scripts; there are no hidden network endpoints, required credentials, or remote install steps.
Review Dimensions
- Purpose & Capability
- okName/description match the code and runtime behavior: every handler issues HTTP GETs to https://market.ft.tech endpoints described in the SKILL.md and returns JSON or writes PDFs. No unrelated credentials, binaries, or external services are requested.
- Instruction Scope
- noteRuntime instructions are narrow and map to the included handlers. Handlers perform only HTTP GETs to the declared BASE_URL and output JSON or save PDF files. Note: PDF downloads are written to disk (see persistence); handlers may print HTTP error bodies to stderr. They do not read other system files or environment variables.
- Install Mechanism
- okNo install specification; code is included and run in-place via run.py. No remote downloads or package installs are performed by the skill itself.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The handlers only use network access to the single BASE_URL and command-line args; requested privileges are minimal and proportionate.
- Persistence & Privilege
- notealways is false and the skill is user-invocable. It writes downloaded PDFs to disk inside the current working directory (handlers restrict output to be under the base directory). Be aware run.py launches handlers with cwd set to the skill root, so saved files will be placed under the skill directory unless you run it differently.