ClawHub
Back to skill
v1.0.0

quantum-portfolio-yand

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 2:52 AM.

Analysis

This is a coherent local portfolio-optimization skill that installs scientific Python packages and runs disclosed scripts, with no evidence of hidden networking, credential use, exfiltration, or background persistence.

GuidanceThis skill appears safe to review as a local research/analysis tool. Install it in a virtual environment, review the dependencies if provenance matters, and only provide CSV files you intentionally want analyzed. The artifacts show local plot/JSON generation but no evidence of data exfiltration, credential access, or persistence beyond generated assets.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
README.md
pip install -r requirements.txt
python scripts/run_pipeline.py

The skill is intended to be run as local Python code after installing dependencies. This is disclosed and central to the optimizer workflow, not hidden or unrelated behavior.

User impactRunning the skill executes local numerical code, reads the selected return data, and generates local output files.
RecommendationRun it from a virtual environment or other controlled project directory, and only invoke the scripts when you intend to perform the portfolio analysis.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
requirements.txt
numpy>=1.23
pandas>=1.5
scipy>=1.10
matplotlib>=3.6
dimod>=0.12
dwave-neal>=0.6,<0.7

The skill depends on external Python packages with mostly version ranges rather than a fully pinned lockfile. These dependencies are expected for the solvers and plotting, but version drift is possible.

User impactDependency versions may vary between installs, which can affect reproducibility or expose users to normal package supply-chain risk.
RecommendationInstall from trusted package indexes, preferably in a virtual environment, and consider pinning exact dependency versions if reproducibility or supply-chain control is important.