BitSoulStockSkill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent stock-analysis skill that discloses its token use, remote market-data access, and local caching, with no artifact-backed evidence of hidden exfiltration or destructive behavior.
Before installing, make sure you trust the BitSoul/aicodingyard data service, protect your BITSOUL_TOKEN, and understand that the skill can cache market data locally and generate investment-style recommendations but does not show evidence of placing trades.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may produce confident investment analysis or buy/sell suggestions, but the artifacts do not show it can place trades.
The skill tells the agent to call stock-analysis APIs based on user requests, including buy/sell signal analysis. This is aligned with the stated purpose and does not show actual trade execution.
根据用户的自然语言,参考references/API_FOR_LLM.md 调用对应接口 ... 用户询问某只股票...直接调用 `api.get_trade_signal(code)`
Use the results as decision support only, verify important financial conclusions independently, and do not treat the skill as a licensed financial adviser.
Anyone with access to the configured token could potentially use the associated BitSoul data service access.
The code reads the BitSoul token from an environment variable or an explicitly configured env file. This credential use is disclosed and purpose-aligned for remote data access.
token = os.environ.get("BITSOUL_TOKEN") ... env_file = os.environ.get("BITSOUL_TOKEN_ENV_FILE") ... _parse_dotenv_value(Path(env_file).expanduser(), "BITSOUL_TOKEN")Store the token in a protected environment variable or tightly permissioned env file, and rotate it if exposed.
The quality and integrity of local analyses depend on data downloaded from the provider.
Initialization can download a base data file from the provider when it is missing. That is consistent with a stock-data skill, but it creates reliance on the provider's remote data package.
if not os.path.exists(base_data_file): ... download_data_file("data_1.0.bin", base_data_file, max_retries=3)Run initialization only when you trust the provider, and keep the skill/data source updated from the official homepage.