Back to skill
Skillv1.0.4
ClawScan security
Finam · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 15, 2026, 8:09 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requested environment variables are consistent with a Finam Trade API client for browsing market data, scanning volatility, and managing account requests.
- Guidance
- This skill appears to be a legitimate Finam Trade API client. Before installing, be aware that: (1) FINAM_API_KEY is sensitive — anyone with it can obtain JWTs and interact with your trading account, so store it securely; (2) running the included scripts (especially --active false or pagination over /assets/all and the volatility scanner) can generate many API requests and may hit rate limits or trigger account activity; (3) the skill will suggest exporting a short-lived JWT (FINAM_JWT_TOKEN) to your shell for convenience — only do that in trusted shells and sessions. If you only need read-only market data, consider using an API key/account with limited privileges if Finam supports that.
Review Dimensions
- Purpose & Capability
- okName/description, required binaries (curl, jq, python3), required env vars (FINAM_API_KEY, FINAM_ACCOUNT_ID), included scripts, and referenced endpoints (api.finam.ru, finam.ru, FinamPy GitHub) all align with a Finam Trade API client. The provided assets and reference docs match the described functionality.
- Instruction Scope
- okSKILL.md instructs the agent to obtain a JWT from Finam and then call Finam REST endpoints or run bundled Python scripts. The scripts only access the Finam API and local asset files; they do not read unrelated system paths or request unrelated credentials. Note: the scripts may perform many API requests (e.g., fetching /assets/all or scanning top-100 tickers) and will surface account-specific data when FINAM_API_KEY / ACCOUNT_ID are used, which is expected for this purpose.
- Install Mechanism
- okNo install spec is provided (instruction-only), so nothing is downloaded or installed by the skill itself. The skill expects standard binaries already present (curl, jq, python3) which is proportionate to the task.
- Credentials
- noteThe skill only requires FINAM_API_KEY and FINAM_ACCOUNT_ID, which are the reasonable credentials for this API. Treat FINAM_API_KEY as sensitive: it can be used to obtain short-lived JWTs and perform account operations (including trades) per the API. The helper will optionally store a JWT in FINAM_JWT_TOKEN (process environment or user-exported shell variable) for convenience.
- Persistence & Privilege
- okalways is false and the skill does not request system-wide config or other skills' credentials. The scripts set FINAM_JWT_TOKEN in the process environment (and examples show exporting it in the shell) but do not attempt to modify other skills or global agent configuration.