A股-加密货币-定时早报-多维度指标全方位分析-安装即用无复杂配置-自带验证降低幻觉
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a coherent market-analysis skill with user-directed data-fetch scripts and an optional news API token, with no evidence of hidden account actions or data exfiltration.
Before installing, be aware that the helper scripts may make outbound calls to public market-data providers and may use a CryptoPanic token if you provide one. Install dependencies in the local virtual environment, keep tokens out of chat logs, and treat the generated trading reports as research rather than financial advice.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the helpers will contact third-party market-data services and may reveal which symbols or markets the user queried.
The helper scripts make outbound market-data API calls using user-supplied symbols. This is expected for a market-analysis skill, and the artifacts do not show account mutation or trading actions.
ex = ccxt.binanceusdm({"enableRateLimit": True}) ... ex.fetch_ticker(normalized_symbol) ... ex.fetch_l2_order_book(normalized_symbol, limit=100)Run the scripts only for intended symbols and rely on the documented public data sources; do not treat generated analysis as an automated trading instruction.
If provided, the CryptoPanic token will be used to call the news provider and could be exposed if the user pastes it into chat or logs it elsewhere.
The skill can use an optional CryptoPanic API token for news. This is disclosed and purpose-aligned, but it is still credential use that users should handle carefully.
parser.add_argument("--token", help="CryptoPanic token (optional if env set)") ... token = args.token or os.getenv("CRYPTOPANIC_TOKEN")Provide the token only when news is needed, prefer environment variables over chat messages, and rotate the token if it is accidentally shared.
Installing dependencies runs package installation code from external package sources in the user's environment.
The optional bootstrap installs Python dependencies. This is a standard, user-directed setup step and the requirements file pins package versions, but it still introduces third-party package supply-chain exposure.
subprocess.check_call([str(py), "-m", "pip", "install", "-U", "pip"]) subprocess.check_call([str(py), "-m", "pip", "install", "-r", str(req)])
Use the provided virtual environment workflow, review the pinned requirements, and install only from trusted package indexes.