Back to skill
Skillv1.0.2
ClawScan security
Skills of A-share kline data released by ft.tech. · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 11:26 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and network calls match its stated purpose of fetching A‑share K‑line and minute price data from market.ft.tech and do not request unrelated credentials or elevated privileges.
- Guidance
- This skill appears to do exactly what it claims: run local Python handlers that fetch data from market.ft.tech and return JSON. Before installing, confirm you trust the external domain (market.ft.tech) because the handlers make outbound HTTPS requests to it; if you have network controls or privacy concerns, consider blocking or auditing those requests. Also note the skill runs Python scripts via subprocess (normal for this packaging) and will print errors to stderr on HTTP failures. No credentials are requested.
Review Dimensions
- Purpose & Capability
- okName/description describe fetching OHLC and minute-level A‑share data; included handlers make HTTPS GET requests to https://market.ft.tech/app/api/v2/... and transform timestamps. The required resources (none) and code behavior align with this purpose.
- Instruction Scope
- okSKILL.md and run.py restrict behavior to locating and invoking the bundled sub-skill handlers. Handlers only call the documented endpoints, parse responses, convert timestamps, and print JSON. There are no instructions to read unrelated files, env vars, or transmit data to other endpoints.
- Install Mechanism
- okNo install spec or external downloads; the package is instruction-plus-source only. Nothing is written to disk beyond the included files and no external installers are invoked.
- Credentials
- okThe skill requests no environment variables, secrets, or config paths. HTTP requests include a static header (X-Client-Name: ft-web) but no API keys or tokens.
- Persistence & Privilege
- okSkill does not request always:true or system-wide changes. It runs as a normal, user-invoked skill (autonomous invocation allowed by default but not combined with other red flags). Handlers do not modify other skills or global config.