Pluginv0.5.7

ClawScan security

Openclaw Data China Stock · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 1:50 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The package implements the China-market data and analysis capabilities it advertises; required credentials and actions are proportional and expected for this kind of plugin, though you should review the provided registration/install scripts before running them on a production machine.
Guidance: This skill appears coherent and implements the functionality it advertises. Before installing or running the registration scripts: 1) run inside an isolated environment (create and activate a Python virtualenv as documented); 2) inspect scripts/register_openclaw_dev.py and scripts/install_plugin_to_runtime.sh to confirm they only perform the expected append/symlink/rsync operations; 3) back up ~/.openclaw/openclaw.json (or any OpenClaw config) before running registration in case you want to revert; 4) avoid placing sensitive tokens in global files unless you trust the runtime environment—store TUSHARE_TOKEN in a service-managed secret or use a local .env only for this plugin; 5) if you need stricter isolation, run the plugin in a dedicated VM/container or a non-production OpenClaw workspace first and run the test suite (pytest) included in the repo to validate behavior.

Review Dimensions

Purpose & Capability: okThe name/description (A-share/ETF/option data, fund-flow, technical screeners, multi-source fallback) matches the repository contents: many data-collection modules, provider fallback logic, technical-indicator engine, manifest and registered tools/skills. The optional use of AKShare/Tushare/Eastmoney/THS data sources is consistent with the stated purpose.
Instruction Scope: noteSKILL.md and INSTALL.md contain runnable developer flows (pip install -r requirements.txt, register_openclaw_dev.py, install_plugin_to_runtime.sh). They reference user config paths (~/.openclaw/openclaw.json and optionally ~/.openclaw/.env) and an optional TUSHARE_TOKEN environment variable. This is within the expected scope for a data-collector plugin, but the install/registration steps will modify the user's OpenClaw workspace/config so you should inspect those scripts before executing them.
Install Mechanism: okNo automated registry install spec is included; the repo expects source installation (venv + pip install -r requirements.txt) or ClawHub install. Dependencies are standard for Python data/HTTP work and the repo's install scripts use rsync/softlinks for developer registration. No obscure download URLs or extract-from-remote artifacts were observed in the manifest provided.
Credentials: okThe skill declares no required environment variables and no primary credential. SKILL.md documents an optional TUSHARE_TOKEN to enable a preferred northbound data route; this is appropriate and clearly documented. Other environment variables (e.g., OPENCLAW_DATA_CHINA_STOCK_PYTHON) are deployment conveniences, not secrets.
Persistence & Privilege: notealways:false and normal autonomous invocation settings. The repo includes scripts (scripts/register_openclaw_dev.py, scripts/install_plugin_to_runtime.sh) that will modify ~/.openclaw/openclaw.json and create symlinks in your OpenClaw workspace when used — described as append-only by the author. This is expected for developer registration but is a privilege that affects user config and should be reviewed/backed up before running.