Back to skill
Skillv1.0.1
ClawScan security
Us Stock Analyst · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 8:12 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requested resources, runtime instructions, and bundled code are coherent with a US stock analysis tool that uses the AIsa API and a local Python client; nothing requests unrelated credentials or installs arbitrary code.
- Guidance
- This package appears internally consistent, but before installing consider: (1) Only provide an AISA_API_KEY you trust—this key grants the skill access to your AIsa account and usage/billing. Use a least-privilege or test key if possible. (2) The skill sends any analysis input (tickers, prompts, fetched content) to api.aisa.one including LLM prompts—do not send sensitive personal data. (3) Review the full scripts locally if you want assurance they won't call other endpoints or write sensitive local files; the code shown makes only HTTP calls to api.aisa.one and prints/saves reports. (4) Be aware of cost implications: SKILL.md mentions per-analysis costs. If you want extra assurance, run the included test_api_data.py in a sandbox environment with a test API key first.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md cURL examples, and the Python client all target the same host (api.aisa.one) and financial/news/social/LLM endpoints. Requiring python3 and a single AISA_API_KEY credential is proportionate to the described functionality.
- Instruction Scope
- okRuntime instructions and examples limit activity to calling AIsa endpoints and running the bundled Python scripts. The SKILL.md does not instruct reading unrelated local files or environment variables. The scripts use the API key only for HTTP requests to api.aisa.one.
- Install Mechanism
- okThere is no automated install that downloads/extracts remote code; this is an instruction-and-script package. requirements.txt lists httpx and asyncio (the latter is part of stdlib), which is reasonable for the included Python client. No obscure download URLs or installers are used.
- Credentials
- okOnly AISA_API_KEY is required and used as the Authorization Bearer token for calls to the documented API. No other secret environment variables or unrelated credentials are requested.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request special platform privileges or attempt to modify other skills. It runs client-side Python scripts that perform network calls; autonomous invocation is allowed by default but not combined with other red flags.