ClawHub
Back to skill
v1.0.0

Investment Committee

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:05 AM.

Analysis

This is a coherent investment-analysis skill with no evidence of malicious behavior, but users should notice that it can run a price helper, use sub-agents, post reports to Discord, and save report history.

GuidanceInstall only if you are comfortable with an AI-generated investment-analysis workflow that may post reports to the current Discord channel and save report history locally. Avoid sharing sensitive portfolio details in public channels, review saved history files, and verify all market data and recommendations independently.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
python3 {workspace}/investment-committee/scripts/fetch_price.py GOOGL 700.hk BTC GOLD

The skill relies on a bundled Python helper even though the registry declares no required binaries or install spec. The included code is straightforward, but users may need Python and the requests package.

User impactThe helper may fail or behave differently depending on the local Python environment, but the reviewed script does not show hidden or unrelated behavior.
RecommendationEnsure Python and required libraries are available before use, and keep the bundled script reviewed if it is modified.
Human-Agent Trust Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
你现在扮演 [大师姓名] ... 提取可直接执行的操作参数(止损价、仓位、加仓条件)

The skill uses simulated famous-investor personas and asks for directly executable investment parameters.

User impactUsers could over-trust the output as if it were advice from real investors or as a definitive trading instruction.
RecommendationTreat the report as AI-generated analysis, verify the underlying data independently, and do not make financial decisions solely from the skill output.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
sessions_spawn × 5(同时发出,保证独立性) ... 若用户有持仓:持仓比例 + 是否已盈亏 ... 发送到当前 Discord 频道

The workflow may pass user portfolio details into multiple spawned sessions and then send the final report to the current Discord channel.

User impactIf a user includes sensitive holdings, profit/loss, or allocation details, those details may appear in sub-agent prompts and in the channel where the report is posted.
RecommendationUse the skill in a private channel or avoid including sensitive portfolio information unless you are comfortable with it being included in the report.
Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
SKILL.md
[上次你的评分:X/10(若有历史档案)] ... 存档到 `{workspace}/investment-committee/history/YYYY-MM-DD_标的_说明.md`

The skill saves reports to a workspace history folder and may reuse historical scores in later analyses.

User impactPast reports can persist private investment context and may influence later outputs if the history is stale or edited.
RecommendationReview or delete saved history files when they contain sensitive information, and verify past context before relying on follow-up recommendations.