v1.0.0

Investment Analyzer

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:16 AM.

Analysis

The skill’s investment-analysis behavior is mostly coherent, but it bundles detailed personal financial/property data and requires an unexplained Gemini API key, so it should be reviewed before installation.

GuidanceInstall only if this is your own private skill or you trust the publisher. Redact the bundled personal profile/portfolio data, verify the owner/source mismatch, remove the Gemini API key requirement unless it is clearly needed, and treat the outputs as decision support rather than professional financial advice.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

_meta.json

"ownerId": "kn70pywhg0fyz996kpa8xj89s57yhv26", "slug": "investment-analyzer"

The submitted registry metadata lists a different owner ID, while the source is unknown and no homepage is provided, creating a provenance mismatch for a skill that carries private data and requests a credential.

User impactIt is harder to verify who packaged the skill and whether the bundled private data and credential requirement are trustworthy.

RecommendationVerify the publisher/source before installing, and prefer a private, freshly built copy with matching metadata.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

scripts/analyze_etf.py

"yfinance not installed. Run: pip install yfinance"

The scripts rely on third-party Python packages installed manually; scan_properties.py similarly expects BeautifulSoup, and no install spec or lockfile pins versions.

User impactManual, unpinned dependency installation can introduce package-version or supply-chain risk, even though the dependencies are purpose-aligned.

RecommendationInstall dependencies in an isolated environment from trusted package sources, and ask the author to provide a pinned requirements file.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

SKILL.md

requires":{"bins":["gemini"],"env":["GEMINI_API_KEY"]},"primaryEnv":"GEMINI_API_KEY"

The skill requires a Gemini binary and API key, but the documented workflows only call local Python scripts and the provided scripts do not show a Gemini integration or scoped use of this credential.

User impactA Gemini API key could authorize provider usage or costs without a clearly documented need in this skill.

RecommendationRemove the Gemini credential requirement unless it is necessary, or document the exact command, data sent, and least-privilege scope before installation.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityHighConfidenceHighStatusConcern

references/portfolio.md

Address: 249 Rue Champagnat, Lévis, QC ... Mortgage balance: ~$210,000 ... Google Drive folder: `1AvpX_M1Lr36d86Oqcgh4-JNfbo-sNsbl`

This persistent reference file is intended for the skill’s analyses and contains real property addresses, mortgage/ownership details, and cloud document identifiers.

User impactPersonal financial and property details may be exposed to the agent context, outputs, or anyone with access to the installed skill files.

RecommendationMove personal data to a private user-controlled config, redact addresses and document IDs from shared artifacts, and require explicit user consent before including these details in outputs.