Back to skill
Skillv1.0.2
ClawScan security
stock-monitor-lite · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 13, 2026, 7:46 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's files and runtime instructions mostly match a stock-monitoring purpose, but there are gaps (missing dependency declarations), a metadata mismatch, and the main Python file is large/truncated here so its full network behavior couldn't be verified — review before installing.
- Guidance
- This package appears to implement a stock-monitoring tool that pulls data from Sina and EastMoney and runs local indicator logic. Before installing or scheduling it: 1) review the full stock_monitor.py for any hardcoded remote endpoints, API keys, or unexpected network calls (the provided snippet is truncated); 2) verify how alerts are delivered (does the script post to third‑party webhooks or hardcoded URLs?) and remove or sandbox any unknown push destinations; 3) run it in an isolated virtualenv/container and install only required libraries (requests, pandas) after inspecting code; 4) confirm the package provenance — the _meta.json ownerId differs from the registry owner ID which may indicate repackaging; and 5) if you plan automated scheduling, start with a dry-run mode or verbose logging to observe behavior before giving it any elevated access.
Review Dimensions
- Purpose & Capability
- okName/description match the code and README: the skill fetches market data (Sina + EastMoney) and computes technical indicators/alerts. The requested resources (none) are proportional to its stated purpose.
- Instruction Scope
- noteSKILL.md instructs running python3 stock_monitor.py and scheduling periodic runs; it only references config.json for watchlist. It does not ask to read unrelated system files or environment variables. However README/SKILL.md mention 'push through channel' but do not specify endpoints — check the code to see how alerts are delivered.
- Install Mechanism
- concernNo install specification is provided. The Python script depends on third-party libraries (requests, pandas) but dependencies are not declared formally. That increases risk of accidental execution in an unprepared environment; you should run in an isolated virtualenv and inspect requirements.
- Credentials
- okNo environment variables, credentials, or config paths are requested. Network access is used to call public finance APIs (hq.sinajs.cn and push2his.eastmoney.com) which are consistent with the stated purpose.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request privileged persistence. SKILL.md requests you set an external scheduler in OpenClaw — that is expected for a monitoring tool.