Stock Select
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a disclosed stock-trading assistant, but it can handle financial login tokens, account details, and AI-assisted order placement through a third-party API without clear approval or scope limits.
Treat this as a high-trust financial integration. Do not connect real brokerage accounts or provide credentials unless you trust Stockbot and understand its permissions. Require manual review for every order, use the least-privileged account possible, avoid persistent token storage, and revoke access when finished.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could help initiate stock trades that affect real brokerage accounts and money if the user provides access.
The skill explicitly supports broker account management and AI-assisted order placement. Financial trades are high-impact actions, and the provided artifacts do not show required user confirmation, order previews, limits, or rollback guidance.
多券商账户管理与AI辅助下单。让选股→分析→交易一站式完成。触发词:...交易下单
Use only with explicit manual confirmation for every order. The skill should document trade previews, account selection, amount limits, cancellation behavior, and a rule that no order is placed without the user’s final approval.
If credentials or tokens are mishandled, someone could access account information or potentially perform trading actions through the linked service.
The skill asks the agent to handle user login credentials, long-lived tokens, and trading-account details such as broker account identifiers and balances. This is sensitive financial account authority.
POST ${STOCKBOOT_API_URL}/auth/login ... Body: {"username": "xxx", "password": "xxx"} ... accounts: ... brokerAccount, availableBalance ... token: JWT Token(有效期7天) ... refreshToken(有效期14天)Only use limited-scope credentials or tokens, avoid sharing brokerage passwords unless absolutely required, revoke tokens after use, and verify that the provider’s account permissions and security controls are acceptable.
Users must trust the external service operator with sensitive financial workflow data and possibly trading authority.
The skill relies on a third-party backend for authentication, market data, and trading, while the backend source is private and not reviewable in the submitted artifacts.
官网: https://stockbot.me ... 后端源码:私有仓库 ... 默认 API 地址:https://api.stockbot.me
Review the provider, terms, security posture, and broker authorization model before using real accounts. Prefer self-hosting or audited service code for sensitive trading workflows.
The provider may receive login-related data and details of the user’s investment interests or trading workflow.
The skill discloses that user authentication information and stock-selection criteria are sent to the Stockbot API over HTTPS. This is purpose-aligned, but still sensitive external data sharing.
数据流向:仅向 Stockboot API 发送请求 ... 数据类型:股票代码、选股条件、用户认证信息 ... 传输安全:所有请求使用 HTTPS 加密传输
Do not submit credentials or trading instructions unless you trust the provider. Confirm what data is stored, retained, logged, and shared by the API service.