ClawHub
Back to skill
v1.0.0

Trading Coach

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:16 AM.

Analysis

The artifacts match a trading CSV review tool, but users should review the external GitHub code before running it and protect their private trading data.

GuidanceBefore installing, inspect the referenced GitHub repository and dependencies, run it in a virtual environment, and use a copy of your trading CSV with unnecessary personal or account identifiers removed. Treat generated trading scores and recommendations as informational, not as guaranteed financial advice.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
git clone https://github.com/BENZEMA216/tradingcoach.git ~/tradingcoach ... pip install -r requirements.txt

The setup directs users to fetch and install code and dependencies from an external repository that is not included in the provided artifact files.

User impactInstalling the external project may run code or dependencies that were not represented in this skill package.
RecommendationVerify the repository and requirements before installation, use a virtual environment, and avoid running it on sensitive data until the code is reviewed.
Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
SKILL.md
python scripts/import_trades.py /path/to/trades.csv ... python scripts/run_matching.py ... python scripts/score_positions.py --all ... python scripts/analyze_scores.py

The documented workflow requires executing local Python scripts. This is disclosed and central to the stated purpose, but the script contents are not part of the provided files.

User impactUsing the skill as documented means running local code on the user's machine rather than only generating a text analysis.
RecommendationRun the scripts only from a trusted checkout, preferably in an isolated environment and on a copy of the CSV data.
Human-Agent Trust Exploitation
SeverityLowConfidenceHighStatusNote
references/scoring_system.md
只执行评分 ≥ 70 的交易机会

The documentation includes actionable trading guidance based on generated scores, which can influence real financial decisions.

User impactA user could over-rely on the scoring system when deciding whether to trade.
RecommendationTreat the report as educational analysis, validate conclusions independently, and do not rely on it as sole financial advice.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
references/csv_formats.md
成交价格 | 成交数量 | 成交金额 | 成交时间 | 币种 | 手续费

The supported CSV fields include detailed financial transaction information that will be used to generate reports and summaries.

User impactPrivate trading history may appear in the analysis output or any saved reports.
RecommendationUse only the intended CSV files, remove unnecessary identifiers such as account numbers if present, and avoid sharing generated reports publicly.