Skillv0.3.3

ClawScan security

Firesale Stress Test · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 23, 2026, 2:27 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description (bank firesale stress test) is plausible, but the runtime instructions require Python packages, filesystem paths, and potentially external data-provider credentials that are not declared in the registry metadata — there is a mismatch between what it says it needs and what it actually instructs the agent to do.
Guidance: This skill appears to be a plausible bank stress-test/backtest tool, but its runtime instructions require more access than the registry declares. Before installing or running it: 1) Verify provenance — ask the author/source; don't run unknown instructions with network access. 2) Inspect seed.yaml and SKILL.md locally to confirm you accept the precondition commands (they run python -c checks and may pip install packages). 3) Run the skill in an isolated environment (container or VM) to avoid unexpected filesystem or network side effects. 4) Be prepared to provide data-provider credentials (joinquant, qmt, etc.) if you intend to fetch paid/broker data — do not hand over secrets unless you trust the source. 5) If you only want static analysis or code generation, request a mode that does not run installs or recorders. 6) Ask the maintainer to declare required binaries/env vars/config paths explicitly in registry metadata and to provide an explicit, auditable install spec instead of implicit runtime pip installs.

Review Dimensions

Purpose & Capability: concernThe skill claims to be an instruction-only backtest/stress-test. That purpose legitimately needs Python and domain libraries (zvt) plus data files. However the registry lists no required binaries, env vars, or config paths, while SKILL.md and seed.yaml explicitly require Python 3.12+, the zvt package, ZVT_HOME (filesystem access) and references to data providers (eastmoney, joinquant, qmt) that will require credentials. The declared metadata understates the real requirements.
Instruction Scope: concernSKILL.md and seed.yaml instruct the agent to re-read seed.yaml, run precondition checks (python -c ...), verify package imports, and on failure to run pip install zvt or recorder commands. These runtime steps include filesystem checks, package installation commands, and potential network activity to fetch packages/data. The instructions also reference data-provider usage patterns that imply supplying external credentials or accounts. That expands the agent's data access and network footprint beyond what the registry declares.
Install Mechanism: concernThere is no formal install spec in the registry, but the execution protocol in seed.yaml and the SKILL.md preconditions direct the agent to run package installation (e.g., pip install zvt) and to execute scripts/recorders. Because installation is performed implicitly by runtime instructions (and not declared), the skill may trigger network downloads and write files, which is higher risk than a pure instruction-only skill with no install steps.
Credentials: concernRegistry declares no required env vars, yet SKILL.md/LOCKS/seed.yaml reference ZVT_HOME, require writable data directories, and the human_summary mentions data sources (joinquant, qmt) that normally require API keys/accounts. Required credentials are not declared. This mismatch means users might be prompted for or expected to provide secrets that were not warned about up front.
Persistence & Privilege: notealways:false (good). The skill asks to run precondition checks and to install or initialize local data directories (zvt.init_dirs); these actions create or write files in the user's workspace (~/.zvt by default). That is expected for a backtest tool, but because the install actions are implicit, you should expect the agent to perform I/O and network installs at runtime. The skill does not request cross-skill config changes or 'always' privilege.