v1.0.2

A Share Daily Report

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:35 AM.

Analysis

Review before installing: the skill matches its market-report purpose, but it can rely on unclear credentials and may generate or share actionable investment guidance even when using mock fallback data.

GuidanceInstall only if you are comfortable reviewing its data-source and credential setup. Ensure mock-data fallback is clearly labeled or disabled for investment decisions, configure your own API keys instead of relying on built-in/global tokens, and use --publish only after confirming the Feishu destination and report contents.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

核心决策（交易策略 + 关注标的含介入区间/止损 + 凯利公式仓位） ... 降级策略：主源失败 → 备用源 → Mock 数据。所有源失败时仍可生成报告。

The skill can produce actionable stock, stop-loss, and position guidance while explicitly continuing report generation with mock data when sources fail.

User impactA user could mistake simulated or fallback data for real market data and make financial decisions based on an automatically generated report.

RecommendationMake mock data impossible to confuse with real data, disable trading recommendations when any critical section uses mock data, and require prominent source/fallback labels in the report.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

ARCHITECTURE.md

已安装并复用的技能 ... akshare-cn-market ... tushare-skills ... mx-data ... mx-search ... 直接 import 使用 Python 接口

The skill is designed to reuse other locally installed skills and their interfaces, which is expected for data integration but expands the trusted code and service surface beyond this package.

User impactReport generation may depend on other installed skills or services that are not part of this artifact review.

RecommendationList these skill dependencies explicitly in install metadata and pin or document compatible versions and trust boundaries.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

DATA_SOURCES.md

tushare-skills - 已全局配置，无需手动设置token ... 接口地址：http://lianghua.nanyangqiankun.top（已内置） ... Token：已内置

The documentation describes globally configured or built-in credentials and a built-in HTTP endpoint, but the registry contract lists no required credentials or environment variables.

User impactThe skill may use API credentials or delegated data-service access whose owner, scope, transport security, and quota impact are not clear to the installer.

RecommendationDeclare all required and optional credentials in metadata, avoid built-in/shared tokens, use HTTPS endpoints, and document exactly which account or token is used for each data provider.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

--publish  # 启用发布到飞书 ... 自动创建飞书云文档 ... 发送消息通知（含文档链接）

The optional publish mode sends generated report content to Feishu cloud documents and messages, creating an external data boundary.

User impactIf enabled, watchlist details, analysis, and report links may be shared to the configured Feishu document space or recipient.

RecommendationBefore using --publish, verify the target chat ID, folder token, and report contents, and keep publishing disabled unless external sharing is intended.