Skillv1.0.0

ClawScan security

新股申购助手 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 9, 2026, 2:44 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This skill appears to do what it says (IPO calendar, basic analysis, predictions and reminders) and its code and runtime instructions are largely consistent with that purpose; no hidden exfiltration or unrelated credential requests were found.
Guidance: This skill is coherent for IPO calendar/analysis use: it fetches public data (东方财富) and optionally uses akshare or Tushare (the latter requires a TUSHARE_TOKEN you must provide). Before installing: 1) Review whether you want to install optional libraries (akshare/tushare) — they are only needed for additional data sources. SKILL.md lists pandas and beautifulsoup4 but the shipped code doesn't rely on them; you can install only requests if you prefer. 2) If you plan to use Tushare, create a TUSHARE_TOKEN and store it in the environment or data/tushare_token.txt; otherwise the skill will skip Tushare. 3) The reminder feature saves config in data/reminder_config.json and prints instructions to add an OpenClaw cron job — it does not automatically register a cron job. 4) As with any tool that talks to the network, run it in an environment you control and inspect data/ files for any sensitive tokens before sharing. Overall the package appears benign but exercise normal caution (control network access, review optional dependencies and local config files).

Review Dimensions

Purpose & Capability: okName/description match the code: modules fetch IPO data (东方财富, optional akshare, optional Tushare), produce analysis, predictions and reminders. Requested binary (python3) and use of HTTP requests are expected for this purpose.
Instruction Scope: noteSKILL.md tells the agent to install requests/pandas/beautifulsoup4 and run python3 main.py; code uses requests and optional akshare/tushare. There is no instruction to read unrelated system files or exfiltrate data. The reminder instructions include a suggested OpenClaw cron command (user-run).
Install Mechanism: okNo install spec provided (instruction-only), so nothing is automatically downloaded or executed beyond Python scripts. Dependencies are installed via pip by the user per SKILL.md, which is low-risk compared with automatic downloads.
Credentials: noteThe code optionally reads a TUSHARE_TOKEN from the environment or data/tushare_token.txt, but the registry metadata declared no required env vars and SKILL.md did not mention TUSHARE_TOKEN. That optional credential use is reasonable for the Tushare data source, but it is not declared up front. Also SKILL.md lists pandas and beautifulsoup4 as required packages though the bundled code does not meaningfully use them.
Persistence & Privilege: okalways:false and no special privileges requested. The skill writes cache and local config files under the data/ directory (ipo_cache.json, reminder_config.json), which is expected for a local CLI tool and is scoped to the skill.