Skillv1.0.0

ClawScan security

我的技能 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 16, 2026, 2:37 AM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and SKILL.md match the stated purpose (fetch market quotes and news) but the registry metadata does not declare the many API keys the script requires and the script writes a local cache — the mismatch and multiple external endpoints warrant caution.
Guidance: This skill appears to do what it says (fetch market data and news), but note two issues before installing: (1) The published registry metadata does not list the many API keys and tokens the script actually uses — check SKILL.md and provide only keys for services you trust (Tavily, Serpapi, Brave, Bocha, Minimax, Tushare, etc.). The script will attempt outbound HTTP requests to those provider endpoints. (2) The script creates a local cache file (.cache/market_intel_cache.json) in the skill folder, so it will write to disk. Recommended steps: review market_intel.py in full to confirm there are no unexpected hardcoded endpoints, run the skill in a sandboxed environment or with limited network access if you are unsure, and ask the skill publisher to update the registry manifest to explicitly declare required environment variables and justify each external API endpoint.

Review Dimensions

Purpose & Capability: noteThe name/description (market quotes + news intelligence) align with the included Python script and listed data sources (Eastmoney, YFinance, Tushare, Tavily, SerpAPI, etc.). However, the registry metadata declares no required environment variables while SKILL.md and the code require multiple API keys and tokens; that mismatch is unexpected and should be clarified.
Instruction Scope: okSKILL.md instructs the agent to run the included Python script and use it to fetch quotes, history, and news. The runtime instructions stay within the advertised scope (data collection, aggregation, structured output) and do not request unrelated system files or broad context collection.
Install Mechanism: okThere is no installer or external download; this is an instruction-only skill plus a bundled Python file. That is low install risk (nothing fetched/installed at runtime beyond standard HTTP calls made by the script).
Credentials: concernSKILL.md and the code reference many environment variables/API keys (TAVILY_API_KEY, SERPAPI_API_KEY, BRAVE_API_KEY, BOCHA/MINIMAX base URLs and keys, TUSHARE_TOKEN, etc.). Those credentials are relevant to the data sources — but the registry metadata does not declare them. The discrepancy means a user may be unaware they must provide multiple potentially sensitive API keys; the skill will also raise runtime errors if some required keys are missing for certain sources.
Persistence & Privilege: okThe skill is not always-enabled and does not claim elevated privileges. It writes a local cache file under .cache/market_intel_cache.json in the skill directory (expected for caching but it does persist data to disk). It does not modify other skills or global agent settings.