v0.1.0

Einstein Research — Portfolio Risk Analyzer

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:59 AM.

Analysis

The skill is a coherent portfolio risk analysis tool, but users should notice that it processes financial holdings, contacts Yahoo Finance for market data, and relies on manually installed Python packages.

GuidanceBefore installing, use a separate Python environment, verify the packages you install, and be aware that ticker symbols will be queried through Yahoo Finance. Do not provide brokerage credentials, and treat generated mitigation suggestions as informational rather than automatic trading advice.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

README.md

pip install yfinance numpy pandas scipy

The skill relies on manually installed, unpinned Python packages, and the registry install specification is absent. This is purpose-aligned for a Python analytics script, but users should install from trusted package sources.

User impactInstalling dependencies from the public package ecosystem can introduce normal supply-chain risk if the environment or package source is not trusted.

RecommendationInstall in a dedicated environment, consider pinning package versions, and verify packages come from expected sources before running the script.

Human-Agent Trust Exploitation

SeverityInfoConfidenceMediumStatusNote

SKILL.md

provide concrete suggestions for risk mitigation

The skill is intended to summarize risk and provide mitigation suggestions. This is aligned with the portfolio-analysis purpose, but users should not treat the output as personalized financial advice or an instruction to trade.

User impactA user could over-rely on generated risk suggestions when making financial decisions.

RecommendationTreat reports as informational risk analysis and consult qualified financial guidance before making trades or portfolio changes.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

scripts/portfolio_risk.py

raw = yf.download(tickers, start=start, end=end, auto_adjust=True, progress=False)

The script sends the ticker list being analyzed to yfinance/Yahoo Finance to retrieve price data. This is expected for market-risk analysis, but ticker symbols can reveal parts of a user's portfolio.

User impactThe external market-data provider may learn which symbols are being analyzed, although the shown code does not evidence sending share counts, cost basis, credentials, or brokerage access.

RecommendationUse only with portfolio symbols you are comfortable querying through Yahoo Finance/yfinance, and avoid including unnecessary private details in input files.