vn-stock-scanner Security Report — Trusted | ClawSafe

5 /100

vn-stock-scanner

Vietnamese stock market analysis skill for VN-Index, HoSE, HNX, UPCoM - fetches financial news and ticker data

Legitimate Vietnamese stock market data scanner that fetches public financial information from CafeF and TCBS public APIs without any malicious behavior.

Skill Namevn-stock-scanner

Duration27.4s

Enginepi

✓

Safe to install

No action required. The skill performs as documented, accessing only public financial data sources.

Findings 1 items

Severity	Finding	Location
Low	Hardcoded home directory path in documentation Doc Mismatch SKILL.md contains a hardcoded path /home/hoang/.openclaw/workspace/ which reveals local username information. `python3 /home/hoang/.openclaw/workspace/vn-stock-scanner/scripts/scanner.py` → Use relative paths or environment variables for script location to avoid exposing local system usernames.	`SKILL.md:10`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	scripts/scanner.py:11,39 - fetches public RSS/API data
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md:10 - executes scanner.py via exec tool
Filesystem	`NONE`	`NONE`	—	No file read/write operations in scanner.py
Environment	`NONE`	`NONE`	—	No environment variable access in scanner.py

2 findings

🔗

Medium External URL 外部 URL

https://cafef.vn/tin-tuc-su-kien.rss

scripts/scanner.py:11

🔗

Medium External URL 外部 URL

https://apipubaws.tcbs.com.vn/tcanalysis/v1/ticker/

scripts/scanner.py:39

File Tree

2 files · 5.3 KB · 103 lines

Python 1f · 78L Markdown 1f · 25L

├─ ▾ 📁 scripts

│ └─ 🐍 scanner.py Python 78L · 3.5 KB

└─ 📝 SKILL.md Markdown 25L · 1.8 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`requests`	`*`	pip	No	Standard library, version not pinned but no known vulnerabilities in this usage
`urllib3`	`*`	pip (requests dep)	No	Standard dependency

Security Positives

✓ Uses only legitimate, well-known Vietnamese financial data sources (CafeF, TCBS)

✓ No credential theft or sensitive data access

✓ No data exfiltration to external servers beyond declared APIs

✓ No obfuscation, base64 encoding, or suspicious code patterns

✓ No network requests to suspicious IPs or domains

✓ No supply chain risks - uses only standard libraries (requests, json, xml.etree)

✓ Functionality matches documentation - fetches stock ticker info and news as declared

✓ No persistence mechanisms or backdoors installed

✓ Requests library properly configured with timeouts and user-agent

Scan Report

Findings 1 items

File Tree

Dependencies 2 items

Security Positives