Skillv1.0.2

ClawScan security

掘金量化skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 10:13 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, instructions, and runtime behavior are consistent with a 掘金量化 (gm) Python SDK assistant that generates and runs trading strategies; nothing in the bundle appears unrelated or covert.
Guidance: This skill appears coherent for generating and running 掘金量化 strategies, but be careful before using it with real credentials or real money: 1) Tokens: the skill expects your 掘金 token (GM_TOKEN) to run queries and backtests — confirm where the token will be stored and avoid pasting long-lived production tokens if you don't want the skill or agent conversation to retain them. Prefer a demo/sandbox account or a token with limited permissions. 2) Review generated code before execution: the agent will create and then run Python strategy files (run_strategy.py launches them via subprocess). Inspect any generated .py before running to ensure it matches what you asked for. 3) Trading risk: running in live mode can place real orders. Test in backtest or simulated account first. 4) Minor docs mismatch: README says it will "automatically save" the token, but I couldn't find code that persists it — ask the skill author how tokens are saved and where. If you need, request explicit confirmation that tokens are not stored permanently or ask for instructions to remove them after use.

Review Dimensions

Purpose & Capability: okName/description focus on 掘金量化 SDK and strategy generation/execution; included scripts (strategy templates, run_strategy.py, tests, references) match that purpose. Required env/config/binaries are minimal and aligned with a SDK-based trading assistant.
Instruction Scope: noteSKILL.md instructs the agent to ask for strategy_id, require set_token before data queries and to generate runnable .py strategy files and call scripts/run_strategy.py. That stays within purpose. Minor inconsistency: README says "我会自动保存" the token, but there is no obvious code that persistently stores a token on disk — tokens are passed to subprocess via environment (GM_TOKEN) and set_token is expected in generated scripts. Clarify where/if the agent will persist tokens.
Install Mechanism: okNo install spec / no external downloads. The skill ships its own example code and documentation only. No network installs or archive extraction are present in the bundle.
Credentials: noteThe registry lists no required env vars, which is consistent, but the runtime uses GM_TOKEN/GM_STRATEGY_ID/GM_RUN_MODE etc. (passed to subprocess). The skill expects the user to provide a掘金 token — reasonable for trading functionality — but token handling/persistence is not explicitly codified in the repository, so users should confirm how/where they provide/store the token and limit its permissions.
Persistence & Privilege: okalways is false and the skill does not declare or request system-wide persistence or modify other skills. It runs user-generated Python strategies (including using subprocess), which is expected for this skill's purpose.