Skillv1.0.0

ClawScan security

stock-hot · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 17, 2026, 3:36 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This skill is internally consistent: it needs only an AISA API key and python, runs a local script that calls the AISA API, and does not request unrelated credentials or system access.
Guidance: This skill appears to do what it claims: it runs a local Python script that forwards prompts to the AISA API using your AISA_API_KEY and returns a market report. Before installing/providing a key, verify you trust the AISA service endpoint (default https://api.aisa.one/v1) and understand that the model is responsible for fetching live web data — outputs can be inaccurate or hallucinated. The skill does not access local files or other credentials, but you will need to have/install the Python OpenAI client dependency for the script to work. Treat results as informational only (not financial advice) and revoke the AISA API key if you later stop trusting the service.

Purpose & Capability: okName/description (hot stock/crypto scanner) aligns with the actual requirements: a single AISA API key and python3. The script sends prompts to the AISA service to produce live market reports, which is coherent with the stated purpose.
Instruction Scope: noteSKILL.md directs running the bundled Python script which only reads AISA-related environment variables and calls the AISA API. The embedded LLM prompts instruct the model to 'fetch' live data (Yahoo Finance, CoinGecko, news). That is expected for a real-time scanner, but it means the external AISA model/service is relied on to access web sources — if that model lacks browsing/tools it may hallucinate. The skill itself does not read local secrets or unrelated files.
Install Mechanism: okNo install spec is provided (instruction-only + a script). The script comments list 'openai' as a dependency but no installer is run by the skill. This is low-risk—user must install python and the OpenAI client manually or via their environment.
Credentials: okOnly AISA_API_KEY is required (primary credential). Optionally AISA_BASE_URL and AISA_MODEL can be set at runtime. No unrelated credentials, config paths, or secrets are requested.
Persistence & Privilege: okThe skill is not always-enabled and does not attempt to modify agent/system settings or persist credentials. It runs only when invoked.