Is cnyezi/a-stock-analysis safe?

https://github.com/openclaw/skills/tree/main/skills/cnyezi/a-stock-analysis

92
SAFE

The cnyezi/a-stock-analysis skill is a well-implemented, focused tool for querying Chinese A-share market data from Sina Finance and managing a local stock portfolio. The SKILL.md contains no prompt injection or override instructions, the Python scripts use only standard library with no malicious code patterns, the install process was limited to a clean GitHub sparse-checkout, and the canary integrity check confirmed no honeypot data was exfiltrated. The only security-relevant behaviors are inherent to the skill's stated purpose: HTTPS requests to Sina Finance APIs reveal which stock codes are queried, and runtime execution of Python scripts with outbound HTTP access requires appropriate trust in the Sina Finance platform.

Category Scores

Prompt Injection 98/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 92/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (5)

LOW Outbound HTTPS to Sina Finance CDN During Runtime -15

When invoked, analyze.py makes HTTPS GET requests to hq.sinajs.cn and quotes.sina.cn to retrieve real-time quotes and minute-level K-line data. This is the core mechanism of the skill and is fully disclosed in SKILL.md. Only stock ticker symbols are included in the query string; no local credentials, environment variables, or user data are transmitted. The User-Agent is set to a Chrome browser string and Referer to finance.sina.com.cn, which is standard practice required by the Sina Finance API.

INFO Canary Files Opened During Monitoring Window (Attributed to Audit Infrastructure) 0

Six honeypot files were opened and read at 08:20:21 UTC (audit timestamp 1771921221.763), which is approximately 6 seconds before the git clone command executed. A second round of accesses occurred at 08:20:44 (1771921244.908), approximately 5 seconds after the cp command completed installation. The temporal alignment with the audit framework's setup and teardown phases, combined with the absence of any file path references in the skill's Python code and the explicit canary integrity confirmation, indicates these accesses were performed by the oathe audit infrastructure itself. No skill code path could have triggered these reads.

INFO Python Execution with Outbound HTTP Capability -8

The skill deploys two Python scripts executed via 'uv run', which provides isolated script execution. Both scripts are self-contained (no external PyPI dependencies) and use urllib.request for HTTP calls. There are no subprocess invocations, no shell=True patterns, no eval/exec, and no dynamic imports beyond the local analyze.py module. The scripts cannot escalate privileges or escape the uv execution environment.

INFO Stock Query Patterns Visible to Third-Party API Provider -15

Each invocation of the skill transmits the list of queried stock codes to Sina Finance servers as plaintext query parameters. Over time this could allow Sina Finance to build a profile of which securities a user monitors. Portfolio quantities, purchase costs, and P&L data are computed and stored entirely locally and are never included in outbound requests. This is an inherent privacy trade-off of using any third-party financial data API.

INFO Clean Sparse-Checkout Install from Official Registry -5

The install process used git sparse-checkout to retrieve only the skill subdirectory from the openclaw/skills monorepo, avoiding a full repository clone. All network activity was limited to GitHub. The temporary clone was deleted after copying. The four installed files match the declared skill structure exactly, and the filesystem diff confirms no unexpected files were created.