Skillv1.0.2

ClawScan security

Stock Top Gainers · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 20, 2026, 3:28 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and resource needs match its stated purpose (fetching A‑share 10‑day gainers via a browser snapshot with a cached fallback); it requests no credentials and has no install step.
Guidance: This skill is internally consistent: it uses the OpenClaw 'browser' tool to snapshot iwencai, parses the snapshot with local Python scripts, and falls back to an included cache if scraping fails. It asks for no secrets and performs no unrelated I/O. Things to consider before installing: (1) scraping depends on the browser tool and the snapshot format—if the platform's browser is logged into accounts, snapshots might include page state or cookies, so verify how the platform isolates browser sessions; (2) site terms of service—make sure scraping iwencai / Eastmoney is acceptable for your use; (3) the parser uses rigid regexes and may silently fail to extract live data (the skill then returns cached sample data). If you need stronger guarantees (real‑time, reliable parsing), request improvements to parsing logic or explicit error handling.

Review Dimensions

Purpose & Capability: okName/description (get A‑share 10‑day top gainers, exclude ST) align with the included scripts and SKILL.md. The scripts target the declared data sources (iwencai / Eastmoney) and implement snapshot parsing + a cached fallback. Declared tool and binary (browser, python3) match runtime usage.
Instruction Scope: noteInstructions limit actions to opening the target URL, taking a browser snapshot, parsing the snapshot, and falling back to a local sample. They do not request unrelated files, credentials, or external endpoints. Note: snapshot parsing relies on fragile regex patterns that assume a particular snapshot format; if the browser snapshot format changes the parser may fail and fallback to cache.
Install Mechanism: okThere is no install spec (instruction-only behavior with Python scripts present). No third‑party downloads or archives. Scripts run locally and call the platform's 'openclaw browser' tool via subprocess, which is expected for this environment.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths. It only reads an included sample JSON as a local fallback. There are no unexpected secret accesses.
Persistence & Privilege: okalways is false and the skill is user‑invocable. disable-model-invocation is false (normal). The skill does not attempt to modify other skills or system configs. Its autonomous invocation capability is standard and not combined with broad credential access.