Investment Analyzer
Security checks across malware telemetry and agentic risk
Overview
The investment-analysis logic is mostly coherent, but the skill embeds a specific person’s financial/property details and requires a Gemini API key without a clear workflow need.
Review and replace the bundled personal profile and portfolio data before using this skill. Do not provide a GEMINI_API_KEY unless the publisher clearly explains why it is needed and what data will be sent. Treat the BUY/PASS outputs as rough analysis based on assumptions, not as financial advice.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing it may require exposing or configuring an API key with possible account or billing implications without a clear purpose in the provided artifacts.
The skill requires a Gemini binary and API key, but its listed workflows run local Python scripts for property, ETF, DCA, and Centris analysis; no included script shows a clear need to use GEMINI_API_KEY.
metadata: {"clawdbot":{"emoji":"📈","requires":{"bins":["gemini"],"env":["GEMINI_API_KEY"]},"primaryEnv":"GEMINI_API_KEY"}}Remove the Gemini requirement unless it is actually needed, or clearly document exactly when the key is used, what is sent to Gemini, and how the credential is protected.
The agent may reuse someone else’s private financial profile in future investment advice, and the package itself exposes sensitive personal financial/property context.
The skill includes persistent reference data with identifiable property addresses, mortgage balances, ownership details, holdings, and storage identifiers, and SKILL.md directs the agent to use these references for analysis.
Address: 249 Rue Champagnat, Lévis, QC ... Mortgage balance: ~$210,000 ... Google Drive folder: `1AvpX_M1Lr36d86Oqcgh4-JNfbo-sNsbl`
Replace personal reference files with templates, remove addresses and drive IDs, and require each user to provide their own private local profile before generating advice.
Running the scan sends the chosen city and price filters to Centris and may fail if the site changes or blocks scraping.
The property scanner makes outbound requests to Centris listing endpoints. This is disclosed by the skill’s Centris-scanning purpose, but it is still external web automation.
session.post(f"{CENTRIS_BASE}/Property/UpdateQuery", ...); session.post(f"{CENTRIS_BASE}/Property/GetInscriptions", ...)Use the scan only when you intend to query Centris, and verify listing data manually before acting on results.
Users may install dependencies from the public package ecosystem without pinned versions or a lockfile.
The code suggests installing an unpinned third-party Python package, and a similar pattern exists for beautifulsoup4 in the property scanner. This is purpose-aligned but not captured by an install spec.
print(json.dumps({"success": False, "error": "yfinance not installed. Run: pip install yfinance"}))Provide a pinned requirements file or install spec, and review dependencies before installing them.