v1.0.3

A股-加密货币-定时早报-多维度指标全方位分析-安装即用无复杂配置-自带验证降低幻觉

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:57 AM.

Analysis

No malicious behavior is evident; this is a disclosed market-analysis skill, but running its helper scripts installs Python packages, contacts public market APIs, and can use an optional CryptoPanic token.

GuidanceBefore installing or running it, review the Python scripts and dependencies, expect outbound calls to public market/news APIs, and handle the optional CryptoPanic token carefully. Treat the generated trading analysis as research only, not financial advice or an automated trading system.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityInfoConfidenceHighStatusNote

references/data_sources.md

Crypto via ccxt binanceusdm: ticker/ohlcv/orderbook/trades/funding/OI ... A-share via akshare

The skill discloses that helper scripts contact external market-data providers; this is purpose-aligned, but users should know their symbol/date queries may leave the machine.

User impactRunning the fetch scripts can send market symbols, dates, and news queries to third-party public data services.

RecommendationRun the helpers only when network access to those public providers is acceptable, and avoid putting private information into query parameters.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

scripts/bootstrap.py

subprocess.check_call([str(py), "-m", "pip", "install", "-U", "pip"])
subprocess.check_call([str(py), "-m", "pip", "install", "-r", str(req)])

The optional bootstrap script installs Python tooling and dependencies; this is expected for the data-fetch helpers, but it runs package-install commands from the local environment.

User impactRunning the bootstrap will download/install Python packages into a local virtual environment.

RecommendationReview the scripts and requirements first, run them in the provided virtual environment, and install only from a trusted package source.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

scripts/fetch_samples.py

token = os.getenv("CRYPTOPANIC_TOKEN")
    if token:
        ... data["news"] = fetch_cryptopanic(token, _base_symbol(normalized_symbol))

If a CryptoPanic token is present in the environment, the crypto fetch helper can use it to retrieve news; this is disclosed and purpose-aligned, but it is still credential use.

User impactA user-provided CryptoPanic token may be sent to CryptoPanic when fetching crypto data or news.

RecommendationUse a dedicated low-privilege token, prefer environment variables over pasting tokens into chat, and unset the token when it is not needed.