Back to skill
Skillv2.0.0
ClawScan security
Fund Advisor Cn · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 6:54 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match the stated fund-advisor purpose: local CLI tools for calculations, allocation, rebalancing and simple local tracking; it does not request credentials or perform network exfiltration in the provided files.
- Guidance
- This skill appears coherent and implements a local fund-advisor CLI: it does finance computations, gives allocation/rebalancing suggestions, and keeps simple local logs in ~/.local/share/fund-advisor-cn (or a custom FUND_ADVISOR_CN_DIR). No credentials or network calls were observed in the provided content. Before installing: (1) verify the publisher/source (bytesagain.com / GitHub link listed) if you require provenance; (2) review the full scripts (fund.sh in particular is large — ensure there are no hidden network calls or commands beyond the truncated preview); (3) if you do not want the agent to write files, do not grant autonomous execution or unset FUND_ADVISOR_CN_DIR; (4) treat outputs as educational information, not professional financial advice.
Review Dimensions
- Purpose & Capability
- okName/description (fund screening, DCA, asset allocation, rebalancing) align with the included scripts: fund.sh implements calculations, allocation and rebalance analysis; script.sh implements a local tracking/CLI interface. No unrelated credentials, binaries, or cloud APIs are requested.
- Instruction Scope
- noteSKILL.md gives CLI usage (help/run) and the scripts run local computations and present advice. The scripts read/write only to a local data directory (FUND_ADVISOR_CN_DIR or $XDG_DATA_HOME/$HOME) and use embedded Python for finance math. SKILL.md and scripts do not direct data to external endpoints in the portions provided. Note: the script writes logs and a local data.log/history.log; if you care about local persistence, expect these files in ~/.local/share/fund-advisor-cn (or custom dir).
- Install Mechanism
- okNo install spec or external downloads are present; this is an instruction-only package with bundled scripts. No network-based installers or archive extraction from arbitrary URLs were observed.
- Credentials
- okNo required environment variables or credentials are declared. Scripts optionally respect FUND_ADVISOR_CN_DIR, XDG_DATA_HOME and HOME to determine data storage location — reasonable and proportionate for a local CLI tool.
- Persistence & Privilege
- okalways is false and the skill does not request system-wide privileges. It will create and write files under the user's data directory (defaults to ~/.local/share/fund-advisor-cn). Autonomous invocation is allowed by default (platform behavior); if enabled, the agent could run these local scripts and create/modify those files.