Back to skill
Skillv1.0.0
ClawScan security
A Stock Daily Report · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 4:26 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated purpose (fetching 东方财富 data and producing an A-share daily report); it requires no credentials and performs only network reads and local stdout output.
- Guidance
- This skill appears to do exactly what it says: call 东方财富 push2 APIs and format a report. It asks for no secrets and has no install step, so the risk is low. Two practical points to consider before running: (1) The script uses plain HTTP endpoints (http://push2.eastmoney.com) — that can allow tampering on untrusted networks; consider switching to HTTPS endpoints if available or run on a trusted network. (2) The script makes outbound network requests and prints to stdout; if you plan to schedule it or save reports, run it in a controlled environment (container or restricted account) and inspect/validate outputs. If you want extra assurance, review the included script (it is short and readable) or run it in a sandbox before integrating into automated workflows.
Review Dimensions
- Purpose & Capability
- okName/description claim: fetch 东方财富 data and produce a daily A股 report. The included script directly calls 东财 push2 APIs, parses results, and formats Markdown/JSON output. Required env, credentials, and binaries are none — consistent with the simple Node.js script.
- Instruction Scope
- okSKILL.md instructs running the bundled Node script and optionally redirecting stdout to files. The runtime instructions do not ask the agent to read unrelated files, access secrets, or send data to third-party endpoints other than the listed 东方财富 APIs. No vague 'gather whatever you need' directives are present.
- Install Mechanism
- okInstruction-only with a single included JS file; no install spec or remote downloads. This minimizes installation risk — nothing arbitrary is fetched or written during install.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The script only requires Node.js and makes outbound HTTP(S) requests to the stated APIs, which is proportional to its purpose.
- Persistence & Privilege
- okSkill is not always-enabled, does not modify other skills or system settings, and does not persist credentials. It only prints output to stdout; optional instructions suggest the user redirect output to user documents, which is normal and local.