Skillv1.0.0

ClawScan security

东方财富网条件选股 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 14, 2026, 7:58 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (querying EastMoney for conditional stock selection), but it omits required dependency and runtime details (headless Chromium and Python libs) and writes local cache/CSV files — verify runtime environment before installing.
Guidance: This skill appears to do what it says: automate a headless browser to get a site fingerprint, call EastMoney APIs, and save results as CSV. Before installing, check these points: (1) the package does not declare dependencies — you will need Python, the DrissionPage library (or equivalent), and a Chromium/Chrome binary available to headless automation; (2) the script will create a workspace directory and write fingerprint_cache.json and CSV files there; (3) it makes network calls to EastMoney domains (no external or unknown endpoints found); (4) run it in a controlled environment if you are unsure about running unvetted code from an unknown source; and (5) if you want to allow automated agent invocation, note this skill has no special 'always' privilege (default autonomous invocation is platform behavior). If you want higher assurance, ask the author to provide a clear install spec (pip requirements and required browser binary) and a provenance/homepage for the project.

Review Dimensions

Purpose & Capability: okThe name/description (use EastMoney to perform conditional stock selection) matches the provided Python script: it retrieves a site fingerprint cookie, calls EastMoney search APIs, and exports results. The endpoints used are EastMoney domains and the operations performed are coherent with the stated functionality.
Instruction Scope: noteSKILL.md limits runtime actions to invoking the provided Python script with a natural-language query. The script does perform browser automation to obtain a qgqp_b_id cookie and then posts queries to EastMoney APIs, and it writes fingerprint_cache.json and output CSV files into a local 'workspace' directory. It does not read unrelated system files or require extra credentials.
Install Mechanism: concernThere is no install spec despite included code that depends on external binaries/libraries (DrissionPage, a Chromium binary). The skill metadata lists no required binaries or packages, so the developer omitted runtime dependency/install instructions; that mismatch can cause surprise failures or hidden runtime requirements (headless Chromium).
Credentials: okThe skill requests no environment variables or credentials. The script obtains a cookie value from a browser session for API access, which is necessary for the target site and not a broad request for unrelated secrets. It does create and write files under a local 'workspace' directory.
Persistence & Privilege: okalways is false and the skill does not request to modify other skills or system-wide settings. Its persistent behavior is limited to saving a fingerprint cache and CSV results to a local workspace — confined to its own files.