Skillv0.2.8

ClawScan security

agent-stock · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 25, 2026, 1:06 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's content matches a stock-quant/trading assistant, but its runtime instructions ask the agent to install/run external packages (via pip) and reference user account information without declaring or justifying credential access—this mismatch and the implicit install step are concerning.
Guidance: This skill looks like a real stock/quant assistant, but be cautious: the instructions ask the agent to install a Python package named 'agent-stock' via pip and to install Python if missing—that could run arbitrary code from PyPI. Before installing or letting the agent run these commands, verify the provenance of that pip package (official project page, package owner, and checksum). Also, do not paste brokerage or trading API keys into chat; ask why and where credentials will be stored. Prefer skills that declare required credentials in metadata and provide a clear install source. If you intend to run this, run installation steps yourself in a controlled environment (isolated VM/container) and audit the pip package contents first.

Review Dimensions

Purpose & Capability: noteName/description (quantitative stock trading, screening, trade decisions) align with the instructions to call a 'stock' CLI and produce screening/trade reports. However, the docs reference using 'user account information' and performing trading actions while the skill declares no primary credential or required env vars; that omission is an inconsistency.
Instruction Scope: concernSKILL.md instructs the agent to run a local 'stock' CLI (stock index/quant/query/quote/detail/rank) and to save results to local files under dist/. It also tells the agent to install system components (Python/pip and then 'pip3 install agent-stock') if the CLI is missing. Asking the agent to install packages and manage the environment expands its runtime scope beyond pure analysis and could lead to executing arbitrary code. The doc also instructs to 'directly end' after saving (suppressing any additional output), which reduces transparency.
Install Mechanism: concernNo formal install spec is declared in the registry, but the instructions explicitly direct installing an 'agent-stock' package via pip (and possibly installing Python). Having the agent perform a pip install of a package with the same name as the skill (without pinning a source or checksum) is a supply-chain risk: it may install arbitrary third‑party code from PyPI or elsewhere. This is a higher-risk install mechanism even though it is not part of the registry's install spec.
Credentials: noteThe skill requests no environment variables or credentials in metadata, yet the workflow mentions using 'user account information' for decisions. If actual trading or account access is required, the skill should explicitly declare which credentials (broker API keys, exchange tokens) it needs. The absence of declared credentials but clear expectation of account-level data is a mismatch that could lead the agent to ask the user for sensitive secrets ad hoc.
Persistence & Privilege: okalways is false and the skill does not request persistent system-wide privileges. It writes output to local files (dist/...), which is consistent with its purpose. It does not claim to modify other skills or global agent settings.