Buffett Analysis
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or accidental company-name input could cause the agent’s environment to run commands beyond fetching financial data.
The script accepts the company keyword from user input and interpolates it into an unquoted shell command. A crafted company name containing shell metacharacters could execute unintended local commands.
args = " ".join(f"{k}={v}" for k, v in kwargs.items())
cmd = f"mcporter call {tool} {args}"
r = subprocess.run(cmd, shell=True, capture_output=True, text=True, env=ENV, timeout=60)Replace shell=True string execution with an argument list, quote or validate all user-controlled values, and restrict company identifiers to expected ticker/name formats before invoking mcporter.
Installing the skill may cause routine analysis requests to change a local application data file and publish or display generated investment ratings in that frontend.
The skill instructs the agent to always mutate a local frontend data file after analysis, without requiring explicit user confirmation or describing rollback/backup behavior.
每次完成基本面分析后,**必须**将报告数据写入前端展示: 1. 读取 `alpha-factor-lab/fundamental-reports.json` 2. 按以下 JSON 结构追加一条报告
Make the frontend write optional and user-confirmed, validate the target path, preserve a backup, and document how users can disable or revert the write.
The skill’s behavior for US equities depends on external local code that users may not realize is required or reviewed.
The US-stock path invokes a sibling us-market script that is not part of this skill’s manifest, while the registry metadata does not declare such a dependency.
US_MARKET_SCRIPT = os.path.join(SCRIPT_DIR, '..', '..', 'us-market', 'scripts', 'us_market_query.py')
Declare external skill/tool dependencies in metadata or install documentation, and ensure users install them from a trusted source.