xqant daily gushouplus report
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill’s financial-report workflow is mostly coherent, but it documents an already-created cron job that runs every 60 seconds and posts automatically, which is broader than the stated daily 21:30 report purpose.
Review this skill carefully before installing. It appears intended to generate a Wind-based fixed-income fund report, but you should disable or rescope the documented cron job unless you truly want automatic runs every 60 seconds. Confirm the schedule is daily at 21:30, verify the local MEMORY/STANDARD data sources, and ensure Wind API usage is authorized and rate-limited.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could run repeatedly and publish without a fresh user request, causing unwanted messages, costs, rate-limit usage, or unintended disclosure in the chat channel.
This describes persistent automated agent turns that post to chat every minute, while the skill’s stated purpose is a daily 21:30 report and its trigger section describes user requests.
已创建 cron 任务 ... 频率: 每 60 秒自动触发 ... 模式: isolated session + agentTurn payload ... 输出: 自动发布到聊天频道
Before installing or using, confirm whether any cron job exists, remove or disable it if not wanted, and change the schedule to a bounded daily 21:30 run with clear user approval and stop controls.
Running the skill may make many financial-data API calls for the 87-product report.
The skill relies on bulk Wind financial-data calls. This is expected for the report purpose, but it can consume provider quota and depends on correct tool scoping.
对 87 只产品逐一调用以下函数: f_nav_adjustedreturn1 ... f_return_1y ... f_risk_maxdownside ... f_risk_maxdownside_date
Use it only with intended Wind access, monitor quotas/rate limits, and keep batch sizes and retries bounded.
The report may reflect whatever is stored in the named local or memory files, including stale or unintended information.
The generated report depends on workspace documents and persistent memory as data sources; if those files are stale or modified, the report could inherit incorrect context.
从以下权威源读取 87 只产品代码: Primary: STANDARD/蚂蚁固收 + 竞品清单 (最终版).md; Secondary: MEMORY.md; 本地: references/product_codes.md
Keep MEMORY.md and STANDARD files trusted and current, and verify the final product list before relying on the report.
Users may need to inspect the skill contents manually to understand runtime expectations.
The registry has limited provenance/setup information even though the skill text references Python and ships a script file. No hidden install behavior is shown, but setup expectations are under-declared.
Source: unknown; Homepage: none; Install specifications: No install spec — this is an instruction-only skill; Required binaries ... none
Prefer a version with clear source provenance and accurate metadata for required binaries and runtime behavior.