v1.0.0

缠论股票分析投研报告

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:21 AM.

Analysis

This is a disclosed stock-analysis report skill, but it uses external finance/search tools, a finance API token, and a runtime PDF dependency, so users should install it deliberately and verify investment conclusions.

GuidanceBefore installing, make sure you trust the finance-data dependency and any runtime Python package installation, configure the Tushare token securely, and independently verify generated investment conclusions and PDF contents before acting on them.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityInfoConfidenceHighStatusNote

SKILL.md

并行获取以下数据（全部通过 `finance-data-retrieval` skill 调用） ... WebSearch: "{公司名} 最新公告 {当前年月}"

The skill directs the agent to chain an external finance-data skill and web searches. This is expected for stock research, but users should know network/tool calls are part of normal operation.

User impactThe agent may query external data sources and web search using the stock/company name the user provides.

RecommendationUse it for non-sensitive stock queries and review the cited data sources in the final report.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

README.md

### Python 依赖（运行时自动安装）
- `reportlab`：用于 PDF 生成，首次运行时自动安装

The README says a Python package is installed automatically at runtime, but the registry has no install spec or pinned package version. This is aligned with PDF generation but leaves dependency provenance/versioning less explicit.

User impactFirst use may install a third-party Python package into the local environment.

RecommendationPrefer preinstalling or pinning a trusted reportlab version, and make dependency installation explicit in an install spec if publishing the skill.

Human-Agent Trust Exploitation

SeverityLowConfidenceHighStatusNote

references/chan-theory.md

≥ 15分 | ⭐⭐⭐⭐⭐ 极强买入 | 重仓（40~60%仓位）

The reference material includes strong buy and position-sizing language. This is disclosed and central to the skill's stock-analysis purpose, but users could over-trust automated financial conclusions.

User impactThe report may influence real investment decisions if treated as authoritative.

RecommendationTreat outputs as research assistance only, verify data independently, and do not make trades solely from the generated report.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

README.md

然后配置 Tushare Token：
```bash
export TUSHARE_TOKEN="your_tushare_token_here"
```

The skill's dependent data workflow uses a Tushare API token. This is purpose-aligned for market data, but it is a credential users should protect.

User impactA finance-data API token may be available in the agent environment while running the analysis.

RecommendationStore the token securely, use only the needed data-provider permissions, and avoid including the token in prompts, reports, logs, or shared files.