Skillv1.0.0

ClawScan security

WorkBuddy 掘金量化助手 (GM版) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 8:10 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This skill is internally consistent with a gm (掘金量化) Python SDK assistant: it generates strategy .py files, runs them via the included runner, and asks for a token and strategy_id — nothing in the files or instructions indicates unrelated or covert behavior.
Guidance: This skill appears to do what it claims: generate Python strategies for the 掘金 (gm) SDK and run them locally. Before installing/using it: 1) Do not paste your gm Token into chat unless you trust the skill — the token grants API access and will be passed to child processes via environment variables. 2) The README says the token will be "automatically saved" but the provided scripts only pass the token to the subprocess environment; confirm where (and whether) any token is stored permanently before trusting it. 3) Always review any generated .py strategy file before running; the skill will execute those files locally (via subprocess). 4) Use backtest mode / a sandbox account first (not your real trading account) until you are certain the generated strategy behaves as intended. 5) If you need guarantees about secrets handling, ask the skill author how tokens are stored and whether any telemetry or external endpoints are used (none are visible in the included files).

Review Dimensions

Purpose & Capability: okName/description match the contained assets: references to gm SDK, many example strategy scripts, README and references documenting gm APIs. Required permissions and binaries are minimal (none declared). The code and SKILL.md stay focused on strategy generation, backtest/live run, data queries, and trading — all coherent with the stated purpose.
Instruction Scope: noteSKILL.md and README instruct the agent to ask for a strategy_id and a user Token (set_token) and to generate and run .py strategy files using scripts/run_strategy.py. This scope is expected, but there is a small mismatch: README/MD say the skill will "automatically save" the token, but the included scripts do not show persistent storage of tokens — they pass tokens via environment variables to child processes. The agent will execute user-generated Python locally (via subprocess), so users should review generated code before running.
Install Mechanism: okInstruction-only plus included Python scripts; no install spec and no external downloads. No package installs or remote code fetches in the manifest. Low install risk.
Credentials: noteThe skill expects a gm Token to operate (SKILL.md/README require set_token and run() with token), but the skill metadata declares no required env vars. This is not malicious — token is a runtime input provided by the user — but users should be aware the token grants access to their account and will be passed to child processes (env GM_TOKEN). Treat the token like a secret.
Persistence & Privilege: okSkill is not marked always:true and does not request system-wide privileges. The code does not modify other skills or global agent configs. The only persistence implied is storing strategy results in the official 掘金终端 backend (via strategy_id) which is part of normal platform behavior.