A Stock Analysis 1.0.0
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An unintended add, update, or remove action could make the local portfolio tracker inaccurate or delete a saved position record.
The skill documents commands that mutate local portfolio records. This matches the portfolio-management purpose, but users should notice that the agent can change or delete the local tracking data if asked to run these commands.
uv run {baseDir}/scripts/portfolio.py add 600789 --cost 10.416 --qty 3400 ... update ... remove 600789Confirm stock code, cost, quantity, and intent before running add/update/remove portfolio commands.
It may be harder to independently verify who published or maintains the skill.
The package lacks a source/homepage reference and its embedded metadata does not exactly match the registry owner information. This is a provenance gap, not evidence of malicious behavior in the included code.
Source: unknown; Homepage: none; Registry Owner ID: kn71h5yp8j42ce5zb2jpbx6khh81yzdp; _meta.json ownerId: kn707vekcz9f58mg3b3cjs3jc17zye0v
Verify the publisher and review the included scripts before relying on the skill for financial tracking.
Anyone or any tool with access to that local file could see or alter the saved portfolio-tracking information.
The skill stores persistent portfolio data locally, including positions, cost, quantity, and timestamps. This is disclosed and purpose-aligned, but it is personal financial context that can be reused by the skill.
PORTFOLIO_FILE = Path.home() / ".clawdbot" / "skills" / "a-stock-analysis" / "portfolio.json"
Treat the portfolio file as sensitive local data and remove or protect it if you no longer want the skill to retain holdings information.
Sina Finance can receive the stock codes you query, and portfolio analysis may reveal which stock symbols are in the local portfolio, though cost and quantity are not shown being sent.
The stock-analysis script calls disclosed Sina Finance endpoints to fetch real-time and minute-level market data. This is central to the skill, but queried stock symbols are sent to an external provider.
url = f"https://hq.sinajs.cn/list={codes_str}" ... "https://quotes.sina.cn/...getKLineData?symbol={symbol}"Use the skill only if you are comfortable sending queried A-share symbols to the disclosed market-data provider.