Skillv1.0.1

ClawScan security

Market Structure Scan · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 27, 2026, 2:51 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and instructions are internally consistent with a web-scraping, rule-based market-structure scanner; it asks for no secrets or installs and only instructs the agent to fetch and parse public web pages for technical indicators.
Guidance: This skill appears coherent and low-risk: it only scrapes public market pages and computes indicator-based scores and does not request secrets or install code. Before installing, confirm that your agent's browse_page capability is enabled and that you understand where scraped output will be stored or sent. Be aware scraping TradingView/Investing.com may be brittle (requires UI interactions, may need login or be blocked) and data accuracy depends on successful extraction. If you plan to rely on its outputs for trading decisions, test it on tickers/timeframes you control and consider requesting the skill author provide example runs or the exact DOM selectors used. If you prefer, ask the author for a version that uses authenticated exchange APIs (with explicit, limited credentials) rather than scraping public pages.

Review Dimensions

Purpose & Capability: okThe name and description (multi-timeframe crypto/market scanner using Ichimoku, BB, MACD, RSI, EMA ribbon, Linear Regression, Fib) match the runtime instructions: fetch indicator values from public market pages and compute a confluence score. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope: noteInstructions require using browse_page to fetch TradingView / Investing.com / Yahoo / CoinGecko pages and extract many specific technical indicators per timeframe. This is within the stated purpose, but relies on the agent's ability to interact with and parse dynamic, JS-heavy pages and to change chart timeframes. The instructions do not ask for any local files or secret data, but browsing external sites can be brittle (login/anti-bot) and may return incomplete data.
Install Mechanism: okNo install spec or code files are present (instruction-only). This minimizes disk-write and supply-chain risk.
Credentials: okThe skill requires no environment variables, credentials, or config paths. The requested actions (public web scraping for indicators) do not justify additional secrets, so the minimal environment footprint is appropriate.
Persistence & Privilege: okalways is false and there are no install hooks or requests to modify agent/system settings. disable-model-invocation is default (false) which allows autonomous invocation — expected platform behavior and not in itself a problem given the limited scope and lack of credentials.