Back to skill
Skillv2.4.3
ClawScan security
A股短线营收分析助手 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 29, 2026, 5:01 AM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and SKILL.md clearly rely on an EastMoney API key and local files, but the registry metadata does not declare required environment variables — this mismatch and the presence of runnable scripts warrant caution.
- Guidance
- This skill contains runnable Python scripts and a SKILL.md that expects an EastMoney API key and local .env files, but the registry metadata does not list any required environment variables — that's an inconsistency you should resolve before installing. Before enabling: (1) Confirm whether you must supply EASTMONEY_APIKEY (and where the skill will store or read it). (2) Inspect scripts/stock_utils.py (especially post_eastmoney and get_eastmoney_apikey) to verify which external endpoints will be contacted and how secrets are used/logged. (3) Ensure .env/.env.local are excluded from version control and consider using a limited‑scope API key. (4) If you plan to run this skill on an agent, run the included tests locally and review generated network calls; only enable network access once you trust the EastMoney base URL in README (verify it’s the legitimate provider). The mismatch between declared registry requirements and actual code is the main red flag — ask the author to update the registry to list required env vars and to document exactly what external endpoints the skill calls.
Review Dimensions
- Purpose & Capability
- concernThe skill's stated purpose (A‑share short‑term + revenue analysis) legitimately requires web search and an EastMoney API key; SKILL.md and scripts reference EASTMONEY_APIKEY, .env.local/.env, and network endpoints. However the registry metadata lists no required env vars/credentials, creating an incoherence between declared requirements and actual capability needs.
- Instruction Scope
- noteRuntime instructions explicitly direct use of Web Search and EastMoney structured queries, reading/writing reports under stock-reports/, and reading local .env files (EASTMONEY_APIKEY). Those actions align with the stated purpose (data fetch, verification, report generation) but mean the skill will access local config files and make outbound network calls — users should expect that and verify endpoints before enabling.
- Install Mechanism
- okNo install spec is provided (instruction-only on the platform). The repository contains pure‑Python scripts that claim to use only the standard library and an empty requirements.txt, so there is no automatic installer pulling remote binaries. This lowers install risk, but the presence of executable scripts means local execution could perform network I/O and file reads/writes.
- Credentials
- concernThe code and documentation require an EastMoney API key (EASTMONEY_APIKEY / EASTMONEY_API_KEY / EM_API_KEY) and a base URL for EastMoney endpoints; this is proportionate to the stated functionality. The problem is the skill registry metadata did not declare any required environment variables/primary credential — a discrepancy that can mislead users about what secrets will be needed or accessed.
- Persistence & Privilege
- okThe skill is not marked 'always:true' and does not request elevated platform privileges. It will read/write local report files (stock-reports/) and .env files per its instructions — expected for a report generator — but it does not appear to modify other skills or system-wide settings.