Back to skill
Skillv1.0.0
ClawScan security
Forex · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 8:09 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only, educational forex skill whose claimed purpose matches its content and it does not request credentials, install software, or perform unexplained actions.
- Guidance
- This skill appears to be purely educational and internally consistent. Before installing, consider: 1) provenance — the registry lists an owner ID and skill.json author but the published 'Source' was unknown; if you care about supply-chain trust, verify the author or homepage. 2) The skill does not connect to brokers or require credentials — if you later want live trading or account-linked features, that would require separate, explicit integrations and credentials; treat any future prompt that asks you to paste API keys or private keys as sensitive. 3) This skill is informational, not personalized financial advice — validate hedging or trading actions with a licensed advisor or your broker. Overall there are no immediate red flags in code, env vars, or install behavior.
Review Dimensions
- Purpose & Capability
- okThe name, description, and skill.json capabilities align with the SKILL.md and examples: everything is educational and advisory about FX markets, hedging, travel currency, and trading foundations. There are no unrelated requirements (no cloud, no broker integration, no system access).
- Instruction Scope
- okSKILL.md and examples are content/prompts for conversations and heartbeat checks; they do not instruct the agent to read local files, access environment variables, contact hidden endpoints, or exfiltrate data. The instructions stay within the stated domain (explanations, risk analysis, prompts for user-provided position details).
- Install Mechanism
- okNo install spec and no code files — instruction-only. Nothing is downloaded or written to disk, so install risk is minimal.
- Credentials
- okThe skill declares no required environment variables, no credentials, and no config paths. That matches its informational purpose — it does not ask for bank/broker API keys or other secrets.
- Persistence & Privilege
- okalways is false and the skill is user-invocable only. It does not request persistent system-wide privileges or modify other skills' configurations.