daily-investment-digest
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears purpose-aligned for fetching financing-event data and printing a report, with review notes for external API use, bundled Node script execution, and sparse runtime/provenance metadata.
This looks safe to use for the intended daily financing-report task. Before installing, be comfortable with it making requests to the iYiou API and running bundled Node scripts locally; keep the default page limit unless needed, and avoid giving the report generator unrelated private JSON files.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill will contact the iYiou API to retrieve financing-event data; increasing page limits could make more external requests.
The tool performs outbound requests to a fixed external API and has bounded pagination controls. This is disclosed and purpose-aligned, but users should notice that invoking the skill contacts an external service and can make multiple page requests.
const API_URL = "https://api.iyiou.com/skill/info"; ... options.maxPage = clamp(options.maxPage, 1, 500);
Use it only for the intended financing-report task and keep the documented default max-page value unless the user explicitly requests more.
Installing and using the skill means allowing its bundled JavaScript files to run locally.
The wrapper script launches two bundled Node scripts to pipe fetch output into report generation. It uses process.execPath and fixed script paths rather than a shell command string, so this appears expected for the skill's one-command workflow.
const fetchProc = spawn(process.execPath, fetchArgs, { stdio: ["ignore", "pipe", "pipe"] });Review the bundled scripts and invoke the documented command path; avoid modifying arguments to point at unrelated scripts or inputs.
Users have less publisher/source context to rely on and should ensure their environment can run the documented Node scripts.
The registry metadata provides limited provenance and does not declare a Node runtime requirement, even though SKILL.md documents Node-based commands. This is a metadata completeness/provenance note, not evidence of malicious behavior.
Source: unknown Homepage: none ... Required binaries (all must exist): none ... No install spec — this is an instruction-only skill.
Verify the publisher/source if provenance matters, and confirm Node.js is available before relying on the skill.