ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

financial-analyst

v1.0.0

Performs financial ratio analysis, DCF valuation, budget variance analysis, and rolling forecast construction for strategic decision-making. Use when analyzi...

0· 260·3 current·3 all-time
byAlireza Rezvani@alirezarezvani
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md, templates, reference docs, and the four analysis scripts (ratio, DCF, variance, forecast) are coherent and proportional to a financial-analysis skill — nothing in the manifest asks for unrelated credentials, binaries, or system paths.
Instruction Scope
SKILL.md limits runtime actions to running local Python scripts against user-provided JSON files and generating reports/templates. It does instruct validating input data and cross-checking outputs (appropriate). It does not mention contacting external endpoints, but the provided SKILL.md and assets do not include the actual Python source content for inspection, so we cannot verify whether the scripts themselves perform network I/O, write outside expected locations, or read unrelated system files.
Install Mechanism
No install specification — instruction-only skill that relies on local Python. This is low-risk in terms of installation because nothing is downloaded or written during install.
Credentials
No required environment variables, no primary credential, and no config paths are declared. That is appropriate for a local financial-analysis tool that operates on files supplied by the user.
Persistence & Privilege
Skill is not always-enabled and uses normal model invocation. It does not request persistent platform privileges in the registry metadata.
What to consider before installing
This package appears consistent with its stated purpose, but the Python scripts (scripts/*.py) were not included in the provided contents for review — that is the main unknown. Before running this skill on sensitive or production financial data, review the Python sources for these risks: any outbound network calls (requests, urllib, sockets, http clients), arbitrary subprocess execution (subprocess, os.system, eval/exec), file reads outside the working/input files, credential harvesting (os.environ access and transmission), and obfuscated or minified code (base64, exec of decoded strings). If you can't inspect the code, run it in an isolated sandbox/container with no network access and test with synthetic or redacted data. Consider static checks (grep for 'requests', 'socket', 'subprocess', 'eval', 'exec', 'open' with absolute paths) and a quick dynamic monitor (network traffic, file writes) when first executing.

Like a lobster shell, security has layers — review code before you run it.

latestvk971xzq2f9t59g7dm7nhxmwr8n82qakn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments