Back to skill
Skillv1.0.4
ClawScan security
Skills of A-share market data released by ft.tech. · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 7, 2026, 12:39 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and requested resources align with its stated purpose (fetching market data from https://market.ft.tech and a small ftai.chat endpoint); it requires no secrets and does not perform unexplained actions.
- Guidance
- This package contains many local Python handlers that will be executed by run.py; they make HTTPS GET requests to https://market.ft.tech (and one handler to https://ftai.chat). There are no requested secrets or unusual install steps. Before installing: 1) Confirm you trust the market.ft.tech/ftai.chat endpoints and the skill author, because included scripts run with the agent's process privileges; 2) If you will run test_runner, expect it to create test_logs/ files; review or run it in an isolated environment if you are cautious; 3) etf-pcf-download can write files but enforces path restrictions—still avoid running downloads with untrusted filenames; 4) If you have strict network or execution policies, restrict outgoing network access or review the specific handler scripts you plan to use. Overall the skill appears coherent with its stated purpose.
Review Dimensions
- Purpose & Capability
- okName/description match the implementation: numerous sub-skills make HTTPS GET requests to market.ft.tech (and one sub-skill permits ftai.chat). No unrelated credentials, binaries, or external services are requested.
- Instruction Scope
- noteSKILL.md and run.py instruct the agent to locate and execute local Python handler scripts (via runpy). Handlers only perform GET requests to market.ft.tech (and ftai.chat for stock-security-info). Test_runner and etf-pcf-download can write files: test_runner writes logs into test_logs/, and etf-pcf-download can save an XML to the working directory but has path traversal protections. This file I/O is consistent with testing and download functionality but is worth noting before running tests or downloads.
- Install Mechanism
- okNo install spec; this is an instruction+code bundle that runs included Python scripts. Nothing is downloaded or executed from remote arbitrary URLs during install.
- Credentials
- okThe skill declares no required environment variables, no credentials, and no config paths. Handlers do not read env vars in the provided files. Network access is the only external requirement and is directly related to fetching market data.
- Persistence & Privilege
- okalways is false and the skill does not request permanent platform-wide privileges. It runs as ordinary code included in the skill package and does not modify other skills or global agent settings.