Back to skill
Skillv0.0.2
ClawScan security
ChartClass · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 22, 2026, 9:14 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are internally consistent with a chart-analysis API client, but the publisher and endpoint details are unknown so exercise caution when providing an API key.
- Guidance
- This skill appears coherent for a chart-analysis API client and only asks for a single API key. Before installing or providing CHARTCLASS_API_KEY, confirm the provider (homepage or repo) and review their privacy/security policy. If you must test it: (1) use a limited-scope or low-privilege API key, (2) avoid using keys tied to billing-sensitive or high-permission accounts, and (3) check where the agent will send data (the SKILL.md gives no hostname/endpoints). Also be aware that the optional CHARTCLASS_DEFAULT_TIMEFRAME env var is mentioned in the docs but not declared in the registry; that mismatch is likely harmless but worth noting.
Review Dimensions
- Purpose & Capability
- okName/description (technical chart analysis) align with the declared requirement: a single API key (CHARTCLASS_API_KEY) used to authenticate requests for OHLCV, indicators, and pattern scans. No unrelated credentials, binaries, or install steps are requested.
- Instruction Scope
- noteSKILL.md is instruction-only and simply describes using ChartClass APIs for pattern recognition and indicator data; it does not instruct reading local files or unrelated system state. Note: the doc mentions an optional CHARTCLASS_DEFAULT_TIMEFRAME env var but that optional var is not declared in the registry requires.env list.
- Install Mechanism
- okNo install spec and no code files (instruction-only). This minimizes on-disk execution risk because nothing is written or fetched by an installer as part of skill setup.
- Credentials
- noteOnly one required credential (CHARTCLASS_API_KEY) is declared, which is proportionate to an API-based charting service. However the skill offers no homepage or source repo and provides no details about the API endpoints or the provider, which increases the risk associated with giving an API key to an unknown service. Also the SKILL.md references an optional CHARTCLASS_DEFAULT_TIMEFRAME env var that isn't declared.
- Persistence & Privilege
- okalways is false and the skill is user-invocable (normal). The skill does not request persistent system-wide privileges or access to other skills' configs.