Scan Report
15 /100
research-analyst
Local stock/crypto analysis with 8-dimension scoring system using public APIs
Legitimate financial analysis tool with no malicious behavior detected. All capabilities align with documentation - read-only network access to public APIs, local storage only, no subprocess or credential access.
Safe to install
This skill is safe to use. Monitor for any supply chain changes in PyPI dependencies and consider pinning to verified hashes for enhanced security.
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Low | Requirements.txt contains non-verifiable SHA256 hashes Supply Chain | requirements.txt:1 |
| Low | Security verification commands reference non-existent patterns Doc Mismatch | skill.md:295 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | READ | ✓ Aligned | Local script execution, JSON portfolio storage |
| Network | READ | READ | ✓ Aligned | urllib/yfinance GET requests only - no POST |
| Shell | NONE | NONE | — | No subprocess or os.system calls found |
| Environment | NONE | READ | ✓ Aligned | Reads CLAWDBOT_STATE_DIR env var only |
| Skill Invoke | NONE | NONE | — | No skill invocation detected |
| Clipboard | NONE | NONE | — | Not accessed |
| Browser | NONE | NONE | — | Not accessed |
| Database | NONE | NONE | — | Local JSON file only (not a DB) |
9 findings
Medium External URL 外部 URL
https://img.shields.io/badge/ClawHub-Skill-blue README.md:5 Medium External URL 外部 URL
https://clawhub.ai README.md:5 Medium External URL 外部 URL
https://img.shields.io/badge/License-MIT--0-green README.md:6 Medium External URL 外部 URL
https://spdx.org/licenses/MIT-0.html README.md:6 Medium External URL 外部 URL
https://push2.eastmoney.com/api/qt/clist/get scripts/cn_market_rankings.py:4 Medium External URL 外部 URL
https://quote.eastmoney.com/center/gridlist.html scripts/cn_market_rankings.py:6 Medium External URL 外部 URL
https://hq.sinajs.cn/list= scripts/cn_stock_quotes.py:28 Medium External URL 外部 URL
https://finance.sina.com.cn scripts/cn_stock_quotes.py:33 Info Email 邮箱地址
[email protected] SECURITY.md:260 File Tree
10 files · 162.0 KB · 5040 lines Python 5f · 3871L
Markdown 3f · 1010L
Shell 1f · 110L
Text 1f · 49L
├─
▾
scripts
│ ├─
cn_market_rankings.py
Python
│ ├─
cn_stock_quotes.py
Python
│ ├─
dividend_analyzer.py
Python
│ ├─
portfolio_manager.py
Python
│ └─
stock_analyzer.py
Python
├─
README.md
Markdown
├─
requirements.txt
Text
├─
SECURITY.md
Markdown
├─
skill.md
Markdown
└─
verify_install.sh
Shell
Dependencies 8 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
yfinance | 0.2.40 | pip | No | Industry-standard Yahoo Finance API wrapper |
requests | 2.31.0 | pip | No | HTTP library (not actually used - urllib used instead) |
pandas | 2.2.0 | pip | No | Standard data analysis library |
numpy | 1.26.3 | pip | No | Core numerical computing |
beautifulsoup4 | 4.12.3 | pip | No | HTML parsing (not heavily used) |
lxml | 5.1.0 | pip | No | XML/HTML processor (dependency) |
python-dateutil | 2.8.2 | pip | No | Date utilities (transitive) |
pytz | 2024.1 | pip | No | Timezone handling (transitive) |
Security Positives
✓ No subprocess, os.system, or shell execution calls found in any Python script
✓ No credential theft indicators - no API key harvesting, no environment variable iteration for secrets
✓ No data exfiltration - only read-only GET requests to public financial APIs
✓ No obfuscation detected - all code is readable Python, no base64-encoded payloads
✓ No prompt injection vectors identified
✓ No persistence mechanisms - no cron jobs, startup scripts, or backdoors
✓ Local storage only - portfolio data stays in ~/.clawdbot, not sent externally
✓ Standard, well-established PyPI dependencies with millions of downloads
✓ No sensitive path access (~/.ssh, ~/.aws, .env, etc.)
✓ Verified: All 5 scripts match their documented functionality