Back to skill
Skillv1.0.0
ClawScan security
A Stock Pattern Review · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 21, 2026, 2:44 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only A‑share short‑term trading复盘 (review) framework; it contains templates and data‑source references but doesn't request credentials, install code, or perform unexpected actions.
- Guidance
- This is a coherent, instruction-only trading review framework (templates, indicators, and checklists). It does not install code or request credentials, so it cannot fetch live market data by itself — the data sources named (thsdk, stockapi, 问财, Kronos) imply external APIs but no access method is provided. Before relying on it: (1) Understand it only provides analysis templates, not automated data collection or order execution; (2) if you or an integrator add live-data fetching, ensure API keys and access are stored securely and audit network endpoints; (3) treat any trading recommendations as informational, not guaranteed advice, and confirm risk/position limits independently.
Review Dimensions
- Purpose & Capability
- noteThe skill's name and description align with the SKILL.md content (templates, checklists, analysis rules). It references specific market data providers (thsdk, stockapi, 问财, Kronos), but the skill declares no credentials or integration steps — which is consistent for a purely instructional template but may be misleading if a user expects the skill to fetch live data automatically.
- Instruction Scope
- okSKILL.md contains only guidance, templates, trigger keywords, and lists of indicators to evaluate. It does not instruct the agent to read unrelated files, exfiltrate data, call external endpoints, or access environment variables beyond what is declared (none).
- Install Mechanism
- okNo install spec or code files to write or execute. Instruction‑only skills have minimal installation risk.
- Credentials
- noteThe skill requests no environment variables or credentials (proportional). However, it names proprietary data sources and indicators without explaining how to access them; if someone later augments this skill to fetch data, appropriate API keys/credentials would be required.
- Persistence & Privilege
- okalways is false and there is no install-time behavior or configuration changes. The skill does not request elevated persistence or modify other skills/settings.