Skillv1.0.1

ClawScan security

a-stock-review · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 13, 2026, 12:23 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions generally match a stock-analysis tool that scrapes public finance APIs, but there are implementation/packaging inconsistencies (missing dependency/install spec and incomplete guarantees about the required cross-validation sources) that warrant caution before installing or running it.
Guidance: This package appears to be a legitimate A-share analysis tool that scrapes public finance endpoints (Eastmoney, Sina) via akshare and requests. Before installing or running it you should: 1) be aware you must manually install Python dependencies (akshare, pandas, numpy, requests) — the skill does not declare them; run it in a VM or isolated environment until you validate behavior; 2) expect outbound network calls to public endpoints (Eastmoney, Sina) which will reveal queried stock codes and timestamps to those services — if that is a privacy concern, do not run it; 3) note SKILL.md requires cross-validation with both 东方财富 and 同花顺, but the code does not clearly guarantee both sources always succeed — verify the implementation meets your validation needs; 4) review the code locally for bugs and error handling (there are minor scoping/logic issues) and for compliance with the data provider terms of service; 5) if you want to allow autonomous agent use, be comfortable the agent can make outbound HTTP requests to public APIs. If any of these points are unacceptable, do not install or run the skill until corrected.

Review Dimensions

Purpose & Capability: noteName/description match the code: both are focused on A-share复盘 using AkShare and public finance endpoints (Eastmoney, Sina). However the skill package declares no install spec or dependency list even though the code requires Python packages (akshare, pandas, numpy, requests); this mismatch may break runtime expectations and is a packaging oversight.
Instruction Scope: noteSKILL.md instructs extensive data collection and explicit cross-validation (东方财富 + 同花顺 + 新浪). The code calls akshare and directly queries Eastmoney and Sina; it does not explicitly call a 同花顺 web API in an obvious, named way (it relies on akshare wrappers and backup web endpoints). The instructions do not ask for unrelated local files or secrets, so scope is generally limited to public data collection but the promised two-source validation is not clearly enforced by implementation.
Install Mechanism: concernThis is labeled instruction-only with no install spec, but the bundle includes Python code that depends on non-standard packages (akshare, pandas, numpy, requests). No dependency declaration or install instructions are provided, so installing/running may require manual dependency setup. Missing install/dependency metadata is an operational and supply-chain concern.
Credentials: okThe skill requests no environment variables, no credentials, and the code does not read secrets or config paths. All external access is to public finance endpoints, which is proportionate to the stated purpose.
Persistence & Privilege: okThe skill is not always: true, does not request elevated privileges, and does not attempt to modify other skills or system-wide settings. Autonomous invocation is allowed by platform default but not combined here with other worrisome privileges.