Banana Farmer

ReviewAudited by ClawScan on May 1, 2026.

Overview

Banana Farmer appears to be a coherent, read-only financial market analysis skill, but it uses a service API key and can process sensitive portfolio holdings.

This skill appears safe to install if you want Banana Farmer market analysis and are comfortable using a BF_API_KEY. Keep the API key private, avoid putting highly sensitive details in portfolio JSON files, understand that portfolio ticker symbols are queried against bananafarmer.app, and treat all trading signals and win-rate claims as research rather than guaranteed financial advice.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI03: Identity and Privilege Abuse

What this means

Anyone who obtains the API key may be able to use the user's Banana Farmer API access.

Why it was flagged

The skill requires a Banana Farmer API key and sends it as an authentication header to the Banana Farmer API. This is disclosed and purpose-aligned, but the key is still a credential users should protect.

Skill content

BF_API_KEY = os.environ.get('BF_API_KEY', '') ... BF_BASE = 'https://bananafarmer.app/api/bot/v1' ... headers = {'x-bf-bot-key': BF_API_KEY, 'User-Agent': 'BananaFarmerBot/1.0'}

Recommendation

Store BF_API_KEY only in a trusted environment or secrets manager, do not paste it into chats or commit it to files, and rotate it if exposed.

Medium

#ASI07: Insecure Inter-Agent Communication

What this means

Using the portfolio feature may reveal which tickers are in the analyzed portfolio to Banana Farmer, while also exposing detailed P&L in local output.

Why it was flagged

The portfolio feature reads local holdings, share counts, and cost basis, then queries Banana Farmer for each holding symbol. The code appears to keep shares and cost basis local, but the analyzed ticker symbols are sent to the external provider.

Skill content

with open(portfolio_file) as f:
        portfolios = json.load(f)
...
shares = h.get('shares', 0)
cost = h.get('cost_basis', 0)
...
data = bf_get(f'signals/{sym}')

Recommendation

Use a minimal portfolio file, avoid sensitive account names, and only analyze portfolios if you are comfortable sharing the holding symbols with bananafarmer.app.

Low

#ASI09: Human-Agent Trust Exploitation

What this means

A user could rely too heavily on the skill's momentum scores or win-rate claims when making investment decisions.

Why it was flagged

The skill makes strong performance claims for financial signals. This is aligned with the product's purpose, but users may over-trust the outputs if they treat the claim as a guarantee.

Skill content

Backed by 730 days of tracked data across 12,450+ signals with a verified 80% five-day win rate.

Recommendation

Treat outputs as informational market research, verify claims independently, and do not treat the skill as guaranteed investment advice.