Skillv1.0.0

ClawScan security

全球股市技术分析报告 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 13, 2026, 3:51 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions match its stated purpose (fetch EastMoney data and produce a technical-stock report); it asks for no credentials and contains no install or hidden endpoints.
Guidance: This skill appears coherent and does what it says: open EastMoney pages, call EastMoney APIs, extract fields, and format a report. Before installing/using: (1) confirm that scraping EastMoney is acceptable under your legal/terms-of-service constraints; (2) be mindful of rate limits and potential IP blocking when automating browser/API calls; (3) avoid supplying any unrelated credentials to the agent — the skill does not need them; (4) verify output correctness on a few examples (it explicitly instructs to write '暂无数据' when data is missing); and (5) review how your OpenClaw browser integration handles navigation/snapshots so it won't accidentally capture or transmit unrelated private pages.

Review Dimensions

Purpose & Capability: okName/description say: fetch 东方财富 (EastMoney) stock data and generate A-share technical reports. The SKILL.md exclusively instructs the agent to navigate EastMoney quote pages and call EastMoney push2 API endpoints, then extract fields and fill the included report template — these requirements are coherent and proportional to the stated purpose.
Instruction Scope: noteInstructions stay focused on visiting quote pages (openclaw browser navigate + snapshot), calling specific EastMoney API URLs, parsing listed fields, and populating the provided report template. Positive: explicit 'do not fabricate data' rule and required disclaimer. Notes/operational concerns: the skill relies on browser snapshots which may capture extra page content; it references using 'stock_zh_a_hist' for historical K-line data but does not specify exact API usage or rate limiting; failure modes and retry behavior are described only briefly. These are operational gaps, not obvious malicious actions.
Install Mechanism: okInstruction-only skill with no install spec and no code files to run on the host — minimal disk footprint and low install risk.
Credentials: okThe skill requests no environment variables, credentials, or config paths. All external calls are to EastMoney endpoints described in the instructions — no unrelated secrets or services are requested.
Persistence & Privilege: okFlags: always=false, user-invocable=true, autonomous invocation enabled (default). The skill does not request persistent presence or system-wide configuration changes. Autonomous invocation is normal for skills and not excessive here.