Skillv1.0.0

ClawScan security

股票技术分析 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 6, 2026, 4:07 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: 功能声明与请求的大部分环境/依赖是合理的，但代码 relies on an external 'toc-trading' adapter (looked up via a path that climbs outside the skill folder), omits declared python package dependencies, and has no install instructions — these inconsistencies merit caution before installing or providing the API key.
Guidance: This skill largely does what it says (runs local Python tools to analyze stock candles) and only asks for one API key. However: (1) the scripts insert a path that reaches outside the skill folder and import StockDataAdapter from 'toc-trading/src' — verify that repository/module before providing any API key because it controls where your data and API key are used; (2) required Python libraries (pandas, numpy, mplfinance, TA-Lib) are not declared — ensure you run this in an isolated environment with those packages installed; (3) confirm the StockDataAdapter's behavior (network endpoints, telemetry, logging) so you know whether data or your API key could be sent elsewhere. If you don't trust the unknown source/owner, do not supply STOCK_DATA_API_KEY or run these scripts on a machine with sensitive credentials; consider reviewing or replacing the data-adapter code with a known-good implementation first.

Review Dimensions

Purpose & Capability: noteThe skill name/description (stock technical analysis) matches the provided scripts and the single declared env var (STOCK_DATA_API_KEY). However, the code expects several heavy Python libraries (pandas, numpy, mplfinance, TA-Lib) and an external module StockDataAdapter from a 'toc-trading/src' path that is not included in the skill; those dependencies are not declared in the registry metadata, which is disproportionate to the minimal requires.env/bins list.
Instruction Scope: noteSKILL.md restricts actions to running local tool scripts for fetching data, computing indicators, recognizing patterns, analyzing trend/volume and generating charts. It does not instruct reading other secrets or system files. However, the scripts themselves insert a parent-directory path and import StockDataAdapter (from toc-trading), which expands the runtime scope beyond the skill folder and could cause the skill to execute code from an external/shared repository at runtime.
Install Mechanism: noteThere is no install spec (lowest risk), but the code depends on multiple Python packages (pandas, numpy, mplfinance, talib/TA-Lib) and on a local 'toc-trading' code path. The lack of declared installation steps or package requirements means runtime failures are likely and makes it unclear which third-party components will execute when the skill runs.
Credentials: okOnly a single credential (STOCK_DATA_API_KEY) is requested, which is reasonable for a data-fetching adapter. That said, the actual StockDataAdapter implementation is not included here — you should verify how it uses the key (where it sends requests, logging, telemetry).
Persistence & Privilege: okThe skill does not request always:true and does not claim to modify other skills or system-wide settings. It runs tools on demand (user-invocable/autonomous invocation is normal).