Skillv1.0.1

ClawScan security

A Stock Premarket Briefing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 14, 2026, 3:38 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, documentation, and runtime instructions align with its stated purpose (generating an A‑share premarket briefing); it does not request secrets or perform unexpected I/O, though it relies on external tools/skills that you should vet first.
Guidance: This skill appears coherent and focused on producing a premarket briefing. Before installing/using it: 1) Vet the 'summarize' CLI source (the README suggests a third‑party Homebrew tap) — only install from sources you trust. 2) Verify the multi-search-engine skill you will call is trusted, because the skill delegates web fetching/searching to it (so that skill's permissions and endpoints matter). 3) Expect the agent to need network access and the ability to run subprocesses for the summarize CLI; run in a sandbox if you want to limit risk. 4) Review/modify the code if you want stronger holiday calendar checks or tighter limits on which sites are fetched. Overall, there are no obvious attempts to exfiltrate secrets or perform unrelated actions.

Review Dimensions

Purpose & Capability: okName/description match the included Python scripts and SKILL.md: the code generates a premarket briefing, produces search queries, and delegates web fetching and summarization to external tools (multi-search-engine and summarize). No unrelated credentials, binaries, or config paths are requested.
Instruction Scope: okSKILL.md and the scripts keep to the stated scope: build search queries, request searches, extract page content via a summarize CLI, and produce an analysis prompt. The instructions do not ask to read system files, environment secrets, or post data to unknown endpoints. Execution is explicitly delegated to external search and summarization tools.
Install Mechanism: noteThere is no automated install spec (instruction-only install), which reduces risk. The README/SKILL.md recommend 'pip install requests' and 'brew install steipete/tap/summarize'. The brew tap (steipete/tap) is a third‑party tap—this is only a suggestion but worth vetting before installing the CLI from that source.
Credentials: okThe skill requests no environment variables, credentials, or config paths. The behavior in code matches that: network access is used only conceptually via external tools. There are no extraneous secret-exposing patterns in the files.
Persistence & Privilege: okSkill is not always-on and does not request elevated or persistent privileges. It does not attempt to modify other skills or system-wide agent settings. It does run subprocesses (summarize CLI) when executed, which is expected for its purpose.