Back to skill
Skillv1.0.1
ClawScan security
Stock Data Collector · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 2:13 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are consistent with its stated purpose (collecting A‑share and HK‑share historical data) and it does not request credentials or perform suspicious I/O or network calls beyond using standard data libraries.
- Guidance
- This skill is internally consistent and implements local CSV export using akshare and yfinance. Before running: (1) install dependencies in a virtualenv (pip install akshare yfinance pandas); (2) be aware the scripts make network calls to data providers (akshare/yfinance) — ensure you are comfortable with those libraries and their network access; (3) test on a small sample to confirm minute-level data behaviour (there is a mismatch: batch mode limits periods to daily/weekly/monthly); (4) run in an isolated environment if you want to limit risk from third‑party packages. No credentials are required and the scripts only write files to the local output directory.
Review Dimensions
- Purpose & Capability
- okName/description describe historical stock data collection; included scripts implement fetching via akshare and yfinance and exporting CSVs. No unrelated credentials, binaries, or config paths are requested.
- Instruction Scope
- noteThe SKILL.md and scripts largely align (instructions call the included scripts). Small inconsistency: SKILL.md and fetch_stock.py mention minute-level intervals, but batch_fetch.py restricts period choices to daily/weekly/monthly and the A‑market fetching logic only maps daily/weekly/monthly — minute-level collection is not implemented for A shares in batch mode. This is a functionality/documentation mismatch, not malicious scope creep.
- Install Mechanism
- okNo install spec in registry; the README recommends installing Python packages via pip (akshare, yfinance, pandas). No downloads from arbitrary URLs or archive extraction are present.
- Credentials
- okThe skill requests no environment variables or credentials. It uses third‑party Python libraries for data retrieval — no secrets are required or used.
- Persistence & Privilege
- okalways is false; the skill is user-invocable and can be invoked by the agent normally. It does not modify other skills or system configuration and only writes CSV files to a user-specified output directory.