Back to skill
Skillv1.0.0
ClawScan security
Sectors Financial Agents · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 27, 2026, 9:11 AM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill appears to implement a coherent client for the Sectors API, but its metadata and declared requirements do not match the runtime instructions (it requires a SECTORS_API_KEY env var even though the registry metadata lists none), so the package has an incoherence users should address before trusting it.
- Guidance
- Key issues to consider before installing: (1) The SKILL.md requires SECTORS_API_KEY but the registry metadata does not declare it — confirm the skill actually needs your API key and update or question the metadata omission. (2) The skill only calls https://api.sectors.app/v1 and includes a benign check script; still verify the domains are correct and you trust sectors.app. (3) Avoid adding API keys to ~/.bashrc if you want them kept private; use your platform's secret/env vault or agent-specific secure settings instead. (4) If you plan to run the provided scripts, inspect them locally (the check_setup.py is small and readable) and consider running them in an isolated environment. (5) If you need higher assurance, ask the publisher for a homepage/source repo (none is provided) and request corrected metadata that declares SECTORS_API_KEY as a required credential.
Review Dimensions
- Purpose & Capability
- concernThe skill's stated purpose (querying api.sectors.app for IDX/SGX market data) matches the included documentation and code. However, the registry metadata lists no required environment variables or primary credential while the SKILL.md and included script clearly require SECTORS_API_KEY. This discrepancy is an incoherence (the skill legitimately needs an API key but metadata does not declare it).
- Instruction Scope
- noteSKILL.md is narrowly scoped: it instructs the agent to only call https://api.sectors.app/v1, to use GET endpoints, and to read the API key from SECTORS_API_KEY. The doc suggests optional actions like adding the export line to ~/.bashrc and shows agent-specific config commands (Claude Code, OpenCode, Cursor). Those guidance steps are reasonable for setup but the suggestions to append to shell profiles are privileged actions the user should confirm before performing.
- Install Mechanism
- okThere is no install spec and no third-party downloads; the only dependency is requests (pip install requests), and the included scripts are small and readable. The setup-check script performs a single GET to the declared API endpoint. No high-risk install or remote code fetches were found.
- Credentials
- concernRuntime instructions and scripts require a single API key (SECTORS_API_KEY), which is proportionate to the skill's purpose. However, the skill metadata did not declare this required env var (registry shows 'Required env vars: none'), an inconsistency that could mislead users or automated permission checks. Also SKILL.md recommends adding the key to ~/.bashrc or agent config — storing secrets in plaintext shell profiles can be insecure; prefer platform secret storage where available.
- Persistence & Privilege
- okThe skill does not request always:true, does not request system-wide modifications, and is user-invocable. The only persistence suggestion in docs is optional advice to add an export to ~/.bashrc; that is a user action and not enforced by the skill. No evidence the skill modifies other skills or system settings.