Back to skill
Skillv3.0.0
ClawScan security
stock-research-engine · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 5, 2026, 4:02 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions and outputs match a stock research engine, but it asks the agent to rely on specific third‑party data sources (some of which typically require API keys or installed libraries) without declaring required credentials or installs — this mismatch merits caution.
- Guidance
- This skill appears to be a legitimate, well-scoped stock research template, but it expects the agent to fetch data from named financial data providers (tushare/akshare, FMP, Yahoo Finance, company IR pages). Before installing, verify: 1) How will the agent access those sources — does your environment or agent have API keys/credentials (Tushare token, FMP key) or browser access? The skill doesn't declare required credentials. 2) If you must provide API keys, consider the sensitivity of those keys and whether you trust the skill/agent to use them only for this purpose. 3) Confirm whether the agent will use external browsing/tools (which may show paid content or require logins) and whether you are comfortable with that network access. 4) The skill produces investment analysis; ensure you understand legal/regulatory implications (investment advice) and confirm the expected disclaimer and limitations. If the publisher can clarify required credentials and how data access is performed (browser vs API vs installed SDK), that would raise confidence.
Review Dimensions
- Purpose & Capability
- okThe name/description (deep fundamental stock research across A/H/US markets) aligns with the SKILL.md: it prescribes a detailed research framework, sources, and a specific output format. The requested activities (multi‑source financial search, valuation dashboard, management/competitive analysis) are coherent with the stated purpose.
- Instruction Scope
- okRuntime instructions are narrowly scoped to web/search-based data collection and structured analysis; they do not instruct the agent to read local files, environment variables, or modify system configuration. The SKILL.md emphasizes data provenance, cross-checking, and not fabricating data, which constrains agent behavior.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files — minimal on-disk risk. No downloads, package installs, or binary requirements are declared.
- Credentials
- concernThe skill explicitly prioritizes data sources such as tushare/akshare and FMP and refers to structured APIs and data feeds. Some of these sources typically require API tokens, SDKs, or local packages (e.g., Tushare needs a token; FMP often requires a key). Yet the skill declares no required env vars, credentials, or config paths. That mismatch (expecting authenticated data sources but not declaring credentials or install steps) is the main incoherence.
- Persistence & Privilege
- okalways:false and no install behavior means the skill does not request persistent/privileged presence. The skill does not ask to modify other skills or system-wide settings; autonomous invocation is allowed by platform default but not combined with other red flags here.