Back to skill
Skillv1.0.0
ClawScan security
可转债打新助手 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 8, 2026, 10:25 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill's code, requirements, and runtime instructions are consistent with a small offline/online A‑share convertible-bond helper — nothing requests unrelated credentials or system access, though there are some bugs and TODOs to fix before use.
- Guidance
- This skill appears to be what it says: a small Python tool that fetches public market data and runs local analysis. Before installing/running: 1) Review and fix the obvious bug in cb_calendar.parse_dongfangcai_data (syntax error) and any TODOs; 2) run it in a restricted environment (virtualenv / container) and install dependencies via pip from PyPI; 3) be aware it fetches data from public finance websites — check those sites' terms of use and rate limits; 4) optional third‑party services mentioned (Tushare, akshare, jisilu) may require tokens or logins — do not supply secrets unless you understand where they are used; 5) if you will publish or run autonomously, add error handling and limits to network requests to avoid unexpected scraping behavior.
Review Dimensions
- Purpose & Capability
- okName/description (可转债打新助手) match the included Python code and the declared runtime needs (python3, requests/pandas/beautifulsoup4). The modules implement calendar, analysis, premium prediction and monitoring — all aligned with the stated features. No unexpected binaries, credentials, or config paths are requested.
- Instruction Scope
- noteSKILL.md instructs users to pip install common Python libs and run main.py. The code contains network calls (requests) to public finance sites (EastMoney, Sina, CNINFO, Jisilu) which matches the data-sourcing described. There are no instructions to read unrelated system files or exfiltrate secrets. Note: some functions are placeholders/TODOs and one parsing function contains a syntax bug (parse_dongfangcai_data), so runtime failures are likely until fixed.
- Install Mechanism
- okThere is no automated install spec in the registry entry (no downloads or extract steps). SKILL.md suggests installing Python packages via pip, which is normal and low-risk. No remote, untrusted binary downloads or obscure URLs are used by the install process.
- Credentials
- okThe skill declares no required environment variables or credentials. References mention optional services (Tushare, jisilu) that may require tokens, but these are not required by the included code. The skill does perform network requests to public data sources — expected for its purpose and proportionate.
- Persistence & Privilege
- okThe skill does not request always:true or other elevated persistent privileges. It writes/reads a local cache path (data/cb_history.csv) only, which is reasonable for caching historical data. It does not modify other skills or system-wide configs.