Skillv1.0.1

ClawScan security

Free A Share Real Time Data · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:31 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is a coherent mootdx-based A-share data client, but it includes an undocumented trading-calendar dependency and an automatic monkey-patch that bypasses trading-hour checks; it also installs third-party packages via pip and performs live network calls — review before use.
Guidance: This skill largely does what it says (mootdx client for A-share data) but check a few things before installing: 1) The included script will run 'pip install mootdx' — only install in an isolated environment or container and consider pinning package versions. 2) The code monkey-patches tdxpy.hq.time_frame to always return True (bypasses trading-hour checks). Understand and accept this behavior or modify it (prefer setting correct timezone / handling rather than globally bypassing checks). 3) SKILL.md mentions a trading-calendar service but provides no configuration; ask the author or supply your own calendar and validate date handling. 4) The demo/verify will make live connections to TDX servers — ensure outbound network access and privacy requirements are acceptable. 5) Because the skill source is "unknown" and there is no homepage, prefer running the script in a sandbox, review the installed dependencies (mootdx/tdxpy) and their upstream project reputations, and consider auditing network endpoints the code connects to before allowing autonomous invocation.

Review Dimensions

Purpose & Capability: noteName/description match the code and README: all files implement a mootdx/TDX client for China A-share data. Requested footprint (no env vars, no binaries) is reasonable for a data client. One mismatch: the docs say a 'trading calendar service' must be available, but the skill does not declare how to supply this (no env, no config path, no included calendar).
Instruction Scope: concernSKILL.md and scripts instruct the agent to install packages, monkey-patch tdxpy.hq.time_frame to always return True, and run a demo that connects to TDX servers. The monkey-patch changes library behavior globally (bypassing trading-hour checks) which is intrusive and could be surprising. The demo/verify steps perform live network connections to external TDX servers and may run at install-time if the user executes the script. The instructions do not document where trading-calendar data comes from.
Install Mechanism: noteNo formal install spec in registry; the included script runs 'pip install mootdx' via subprocess. Using pip is common for Python skills but means arbitrary third-party code will be fetched and installed at runtime. This is moderate risk but expected for a Python client.
Credentials: concernThe skill declares no required environment variables or credentials (consistent). However, SKILL.md requires an external 'trading calendar service' without declaring how to configure it (no env var or config path). That gap is an incoherence: either the skill should embed/ship a calendar or document the configuration point.
Persistence & Privilege: okSkill does not request elevated privileges, does not set always:true, and does not modify other skills or system-wide configs. Autonomous invocation is allowed (default) and appropriate for this type of skill.