Back to skill
Skillv1.0.0
ClawScan security
F-AI 金融数据 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 18, 2026, 8:56 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's files, install behavior, and runtime instructions are generally consistent with a market-data API integration, but there are small oddities (UAT base URL, no auth described, and a prohibition on local wrappers) you should verify before installing.
- Guidance
- This package appears to be a straightforward market-data skill bundle, but check these before installing: 1) Confirm the API host: the docs point to a UAT base URL (https://papi-uat.finloopg.com/...). Make sure you intend to call UAT versus a production endpoint. 2) Authentication: there are no API key or credential fields in the manifest or SKILL.md—verify whether the API actually requires an auth token and how to provide it safely. 3) Review local install: npx install will copy files into your project's .agents/skills directory and will prompt before overwriting; run the installer from a directory where this is acceptable. 4) Strange restrictions and minor copy/paste errors (e.g., publish.sh mentions a different package) are likely benign but indicate the package may be lightly maintained—inspect the files locally before running network calls. If you need higher assurance, ask the publisher for a production base URL, authentication details, and source repository.
Review Dimensions
- Purpose & Capability
- okName/description match the provided SKILL.md and reference docs. The package contains a manifest, docs, and an installer that copies the skill into a local .agents/skills folder—consistent with installing a skills bundle for market-data queries.
- Instruction Scope
- noteInstructions require direct HTTP POSTs to https://papi-uat.finloopg.com/flp-mktdata-hub and explicitly forbid creating local JS/TS wrapper files. Direct POSTs to the external UAT host are coherent for an API-based data skill, but the ban on wrappers is unusual (limits agent implementation flexibility) and the docs do not mention any authentication or API keys—verify whether the API requires credentials.
- Install Mechanism
- okNo remote downloads or package installs. The included lib/install.js and bin/finloop-skills.js copy the skill bundle into a .agents/skills directory under the current working directory. This writes files locally but does not fetch external code—reasonable for a local skill installer.
- Credentials
- okThe skill declares no required env vars, binaries, or config paths. That aligns with the supplied SKILL.md which shows unauthenticated example calls, though absence of any auth mention is surprising for a market-data API and should be confirmed.
- Persistence & Privilege
- okalways is false and the installer only writes into the project's .agents directory (with a user prompt on overwrite). The skill does not request system-wide privileges or modify other skills' configs.