Buffett Analysis
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s financial-analysis purpose is coherent, but one bundled script can turn a user-provided company name into shell command execution, and the skill also mandates local report-file changes without explicit approval.
Review before installing. If you use it, avoid passing untrusted or oddly formatted company names until the shell execution bug is fixed, and confirm whether you want the skill to update alpha-factor-lab/fundamental-reports.json after every report.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or accidental company-name input could cause the agent’s environment to run commands beyond fetching financial data.
The script accepts the company keyword from user input and interpolates it into an unquoted shell command. A crafted company name containing shell metacharacters could execute unintended local commands.
args = " ".join(f"{k}={v}" for k, v in kwargs.items())
cmd = f"mcporter call {tool} {args}"
r = subprocess.run(cmd, shell=True, capture_output=True, text=True, env=ENV, timeout=60)Replace shell=True string execution with an argument list, quote or validate all user-controlled values, and restrict company identifiers to expected ticker/name formats before invoking mcporter.
Installing the skill may cause routine analysis requests to change a local application data file and publish or display generated investment ratings in that frontend.
The skill instructs the agent to always mutate a local frontend data file after analysis, without requiring explicit user confirmation or describing rollback/backup behavior.
每次完成基本面分析后,**必须**将报告数据写入前端展示: 1. 读取 `alpha-factor-lab/fundamental-reports.json` 2. 按以下 JSON 结构追加一条报告
Make the frontend write optional and user-confirmed, validate the target path, preserve a backup, and document how users can disable or revert the write.
The skill’s behavior for US equities depends on external local code that users may not realize is required or reviewed.
The US-stock path invokes a sibling us-market script that is not part of this skill’s manifest, while the registry metadata does not declare such a dependency.
US_MARKET_SCRIPT = os.path.join(SCRIPT_DIR, '..', '..', 'us-market', 'scripts', 'us_market_query.py')
Declare external skill/tool dependencies in metadata or install documentation, and ensure users install them from a trusted source.