Skillv1.0.0

ClawScan security

SnapTrade · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 13, 2026, 7:11 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, instructions, and dependencies are consistent with its stated purpose (connecting to SnapTrade, generating reports, and optionally placing orders), but provenance is limited (no homepage/source) so verify before granting live credentials or using in production.
Guidance: This skill appears to implement exactly what it claims: SnapTrade connectivity, portal link generation, account listing, total-value reports, and placing/watching orders. Before installing or running it: 1) Verify the skill publisher and provenance (registry metadata shows no homepage/source) and audit the included code (you have the scripts locally). 2) Treat client_id/consumer_key and generated user_secret as sensitive — store them with strict permissions and do not commit them to version control. 3) Be aware the skill can place real trades; only run order scripts (buy/sell) if you intentionally permit live trading and understand the account/account-id you’re acting on. 4) When using pip to install the SDK, prefer running in an isolated virtualenv/container and confirm the snaptrade-python-sdk package/version integrity. 5) If you need higher assurance, validate network endpoints used by the SDK and test with a sandbox/demo SnapTrade account first.

Review Dimensions

Purpose & Capability: okName/description match the code and instructions. The scripts use the official SnapTrade Python SDK, implement connection portal generation, account listing, total-value calculation, order placement/monitoring, and reconnect flows — all expected for a SnapTrade portfolio/trading helper.
Instruction Scope: okSKILL.md and the scripts stay within scope: they instruct installing the SDK, creating a SnapTrade account, storing client_id/consumer_key/user_secret in a local config, and then call the SDK for listing accounts, holdings, and placing orders. They do not reference unrelated system paths, other services, or unexpected external endpoints.
Install Mechanism: noteInstall is via pip (requirements.txt -> snaptrade-python-sdk==11.0.159). This is proportional to the task but pip installs carry the normal supply-chain risk; the skill has no bundled installers or obscure download URLs.
Credentials: okNo unrelated environment variables or credentials are requested. The skill expects a local JSON config (client_id, consumer_key) and will store a generated user_secret; this is proportionate to SnapTrade integration. The default config path is inside the user's home .openclaw workspace (overridable via SNAPTRADE_CONFIG), which is reasonable but worth noting.
Persistence & Privilege: okSkill is not forced-always, does not modify other skills, and only writes its own config file under the declared path. Agent/autonomous invocation is allowed (platform default) but is not combined with other elevated privileges here.