v0.1.0

Stock Monitor

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:54 AM.

Analysis

This appears to be a purpose-aligned stock alert monitor, but users should know it runs a background process and queries third-party market/news services.

GuidanceReview and edit the watchlist and cost values before use, install any needed Python dependencies, and only start the daemon if you want continuous background polling. Be aware that monitored symbols may be sent to Sina/EastMoney-style providers, and treat any generated trading suggestions as informational rather than authoritative financial advice.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Rogue Agents

SeverityLowConfidenceHighStatusNote

scripts/control.sh

nohup python3 "$SCRIPT_DIR/monitor_daemon.py" > "$LOG_DIR/monitor.log" 2>&1 &

The control script starts a background daemon and records logs/PID under $HOME/.stock_monitor. This is disclosed and purpose-aligned, but it will continue running until stopped.

User impactThe monitor can keep polling market data in the background after it is started.

RecommendationStart it only when you want continuous monitoring, and use ./control.sh status, log, and stop to manage it.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

metadata

Required binaries (all must exist): none ... No install spec — this is an instruction-only skill.

The provided artifacts include shell/Python scripts that invoke python3 and import requests, so setup requirements are under-declared even though the behavior is visible and purpose-aligned.

User impactInstallation or first run may fail or require manual dependency setup.

RecommendationBefore installing, verify Python 3 and required Python packages are available; the publisher should declare dependencies and include the referenced example config.

Human-Agent Trust Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

# Stock Monitor Pro - 全功能智能投顾系统 ... 💡 Kimi建议: 🚀 多条件共振，趋势强劲，可考虑继续持有或分批减仓。

The skill frames itself as an investment-advice system and provides suggested trading actions. It also includes cautionary usage tips, so this is a trust/decision-making note rather than evidence of malicious behavior.

User impactUsers might over-rely on generated alerts or suggestions when making financial decisions.

RecommendationTreat alerts as monitoring signals only and independently evaluate any buy/sell/hold decision.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

scripts/analyser.py

url = f"https://searchapi.eastmoney.com/api/suggest/get" ... params = {"input": name, "type": 14, "count": limit}

The analyser sends stock names/symbol-related queries to third-party financial/news providers. This is expected for the feature, but it creates an external data boundary for the user's watchlist.

User impactThird-party providers may observe which securities are being monitored.

RecommendationOnly put holdings/watchlist entries in the configuration if you are comfortable querying those external services.