ClawAudit verdict

stock-analysis

analyze-stock

88
🟢 Trusted
Low risk — reviewed by ClawAudit, behavior matches stated purpose

Uses Tushare and Baidu API keys to fetch financial data and news for stock analysis; all credential use is transparent and proportional to the stated purpose of generating investment analysis reports.

⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.

Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.

30
security
70
transparency
70
maintenance

Findings (4)

Pattern match critical

Possible hardcoded credential

RELEASE_REPORT.md · code · TOKEN = "f4ba5c1d10214f5bcf6bae2eef8a47e315f559667227d5da7abf7ed7491a

Pattern match high

Pipe to python — executes piped content as Python code

RELEASE_REPORT.md · prose · downgraded · | Python

Pattern match medium

Accesses OpenClaw config/secrets directly

SKILL.md · prose · downgraded · ~/.openclaw/openclaw.json

Pattern match medium

Python os.environ.get — reads environment variable

RELEASE_REPORT.md · code · os.environ.get(

Permissions & capabilities

Requires 2 environment variables. (2 sensitive: TUSHARE_TOKEN, BAIDU_API_KEY). Requires 1 system binary.

credential_access

Is this flag fair?

Check another skill Browse the registry Auditing your own skills or configs? Use the API