Scan Report
5 /100
justice-plutus
Local A-share analysis with Markdown/JSON reports, optional Feishu notifications, and optional iFinD enhancement
A legitimate local A-share analysis skill that executes documented shell commands to run a Python-based stock analysis pipeline.
Safe to install
Approve for use. The skill is well-documented and performs only declared local analysis operations.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Shell | WRITE | WRITE | ✓ Aligned | scripts/run_analysis.sh:72 - "$python_cmd" -m justice_plutus "$@" |
| Network | READ | READ | ✓ Aligned | SKILL.md declares optional API keys for search/notification providers |
| Filesystem | WRITE | WRITE | ✓ Aligned | SKILL.md:30 - writes reports/YYYY-MM-DD/stocks/ outputs |
| Environment | READ | READ | ✓ Aligned | scripts/run_analysis.sh:49 - reads API keys for LLM provider selection |
1 findings
Medium External URL 外部 URL
https://clawhub.ai/Etherstrings/justice-plutus SKILL.md:23 File Tree
3 files · 9.0 KB · 350 lines Markdown 2f · 268L
Shell 1f · 82L
├─
▾
references
│ └─
overview.md
Markdown
├─
▾
scripts
│ └─
run_analysis.sh
Shell
└─
SKILL.md
Markdown
Security Positives
✓ All shell commands are explicitly declared in SKILL.md
✓ Parameter validation prevents command injection (case statement parsing)
✓ No credential harvesting or exfiltration detected
✓ No base64 encoding or obfuscation observed
✓ Optional features are documented and require explicit flags (--notify, --ifind)
✓ Missing optional keys do not block core functionality (graceful degradation documented)
✓ No sensitive path access (~/.ssh, ~/.aws, .env)
✓ No curl|bash or wget|sh remote script execution
✓ Python runtime detection with standard .venv fallback is safe