ClawHub
Back to skill
v1.0.1

股票分析助手

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:33 AM.

Analysis

The stock-analysis behavior is mostly coherent, but the package includes a release report that exposes API keys while claiming they were removed.

GuidanceReview this skill before installing. Do not rely on any API keys shown in the package; assume they are compromised, and use your own rotated, least-privileged TUSHARE/BAIDU/TAVILY credentials. Also remember the skill provides financial analysis and buy/sell guidance but does not execute trades, so verify any investment decision independently.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation
SeverityMediumConfidenceHighStatusConcern
RELEASE_REPORT.md
✅ 清除所有硬编码 API Key ... 修改前: TUSHARE_TOKEN = "f4ba5c1..."

The artifact claims all hardcoded API keys were cleared, but the same packaged file still discloses key material in the cleanup report.

User impactA user could trust the package’s security-cleanup claim without noticing that credential material remains in the distributed artifacts.
RecommendationDo not ship release notes containing real secrets; update the security statement only after verifying all packaged files are free of credential material.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceMediumStatusNote
README.md
cp .env.example .env

The setup instructions reference .env.example, but the provided file manifest does not list that file, making the packaged setup documentation inconsistent.

User impactInstallation or configuration may fail or require users to create configuration files manually.
RecommendationInclude the referenced .env.example file or update the documentation to match the actual package contents.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
RELEASE_REPORT.md
TUSHARE_TOKEN = "f4ba5c1..."; baidu_env['BAIDU_API_KEY'] = "bce-v3/..."; tavily_env['TAVILY_API_KEY'] = "tvly-dev-..."

The release report includes concrete API key values, even though it describes them as previously hardcoded. If any are still valid, they expose third-party service accounts or quotas.

User impactUsers may install a package that contains exposed credentials, and valid exposed keys could be abused by anyone who can access the artifact.
RecommendationRemove the secret values from the packaged release report, rotate all exposed keys, and require users to configure their own least-privileged API keys.