Skillv1.0.0

ClawScan security

A Stock Monitor 1.1.2 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 5, 2026, 4:00 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The package appears to implement the described A‑share monitoring system, but there are several mismatches and hygiene issues (undeclared/misdeclared dependencies, inconsistent default credentials, and network/webhook examples) that warrant review before installing or running it in production.
Guidance: This package largely matches its description, but review these before installing: 1) Dependencies: SKILL.md lists akshare, flask and ccxt — ccxt looks unrelated and the code imports tushare (not declared). Ensure you install only the packages you need (and in a virtual environment). 2) Default credentials: change any hardcoded defaults (config.py / docs show contradictory defaults like 'stock2024' vs 'admin123'); do not expose the service to public networks with default passwords. 3) Network behavior: the code fetches data from sina/akshare and may perform high‑frequency requests (risk of IP blocking); some example scripts post to external webhooks — audit any webhook URLs before running. 4) Run in isolation: because the bundle contains many scripts and network calls, run it first in a sandbox or VM and inspect logs. 5) Fix imports: if you don't intend to use Tushare, either install it or remove/guard its import to avoid runtime failures. If you want a clean, minimal install list, update SKILL.md to accurately reflect required packages. If you want, I can list the exact files that import tushare/ccxt or produce a minimal pip install command after scanning the imports.

Review Dimensions

Purpose & Capability: noteThe code and documentation implement a stock-monitoring/selection system consistent with the skill description (data sources, selectors, web UI, cron tasks). However the metadata lists 'ccxt' (a crypto exchange library) which is unrelated to A‑share monitoring, and the code imports 'tushare' (used conditionally) but tushare is not included in the declared package list — this is an inconsistency.
Instruction Scope: noteRuntime instructions stick to the stated purpose (run fetchers, selectors, start the Flask app, set cron jobs). Example workflows include network activity (hq.sinajs.cn, akshare, akshare's own network calls) which is expected. Some examples demonstrate sending alerts to external webhooks via curl (custom_alert.py) — benign for notifications but it shows the skill can transmit summarized data externally if you run those scripts.
Install Mechanism: concernThis is marked 'instruction-only' but the bundle contains many Python source files. There is no explicit install spec; SKILL.md lists runtime Python packages (akshare, flask, ccxt) but the code also imports tushare and other modules not listed. The declared packages are therefore incomplete/misaligned and also include an unrelated dependency (ccxt). That makes installation fragile and raises risk of unexpected packages being required/installed by the user.
Credentials: noteThe skill does not request environment variables or external credentials in metadata (TUSHARE_TOKEN is optional in code). However documentation and code contain multiple default credentials/settings that are inconsistent: config.py sets PASSWORD='stock2024' while FINAL_SUMMARY references admin/admin123 and API.md mentions default password stock2024. Default credentials present in docs/code are a security hygiene issue and should be changed. The optional Tushare token would be appropriate only if you enable Tushare; its unconditional import may cause runtime errors if not installed.
Persistence & Privilege: okThe skill does not request elevated privileges, does not mark always:true, and does not declare any required config paths. It runs as ordinary user scripts and exposes a local Flask web UI. Cron examples require the user to add jobs explicitly.