Skillv2.3.0

ClawScan security

Israeli Stock Analysis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 2, 2026, 8:19 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and runtime instructions match its stated purpose (Israeli stock analysis); nothing appears malicious, but there are a few operational oversights (undeclared tooling assumptions and optional API keys) you should review before use.
Guidance: This skill appears to do what it says: analyze Israeli (TASE) stocks using public APIs and built-in templates. Before installing or running it, review and accept these points: - Tooling expectations: The bundled scripts assume python3 (for the Python script) and curl + jq (for the shell script). The registry metadata lists no required binaries — make sure you have those tools installed or run the Python script explicitly if you prefer. The SKILL.md also references 'mcporter' (MCPs) which is optional but not declared. - API keys are optional: For live data the scripts use FINNHUB_API_KEY (recommended) and can fall back to Alpha Vantage (demo key) or mock templates. Only provide FINNHUB_API_KEY (or other provider keys) if you trust the skill and the environment. The code does not access unrelated secrets. - Review scripts before execution: Both scripts are short and readable; they perform HTTP(S) calls to public APIs for the requested tickers and return JSON templates. If you plan to run them in an environment with sensitive data, double-check there is no unintended logging or data exfiltration — in this bundle they only send ticker identifiers to public endpoints. - MCP usage: SKILL.md suggests using MCPs (Bloomberg/Yahoo/TASE MCP). If you wire those up, ensure access control and credentials for those MCPs are handled separately and intentionally; the skill does not declare or require them by default. - Operational note: If you need guaranteed offline behavior, the scripts fall back to mock data when API keys are not set. If you want fully live analysis, obtain API keys and understand their rate limits/terms. If you want, I can: 1) list the exact lines in the scripts that reference environment variables and external endpoints, or 2) produce an action checklist for safely running these scripts in your environment.

Review Dimensions

Purpose & Capability: okName/description match the included references and the two helper scripts: the skill fetches market, fundamental and technical data for TASE tickers and generates analysis templates. The requested data sources (Finnhub, Alpha Vantage, TASE/ISA, company IR pages) are appropriate for stock analysis.
Instruction Scope: noteSKILL.md stays within stock-analysis scope: it instructs use of bundled scripts, MCPs, direct API calls and web search. It does not instruct reading unrelated system files or exfiltrating arbitrary secrets. However it suggests using MCPs and 'mcporter call' without declaring that dependency, and recommends running local scripts which assume tools (python3, curl, jq) that are not declared in the registry metadata.
Install Mechanism: okNo install spec (instruction-only) and included scripts are simple, human-readable Python/bash that fetch public APIs. No downloads from untrusted hosts or obscure URLs; nothing is written to disk by an installer. This is low risk from an install-mechanism perspective.
Credentials: noteThe skill uses typical API keys (FINNHUB_API_KEY, optionally ALPHA_VANTAGE_API_KEY) which are proportionate to fetching live market data. The registry lists no required env vars (they are optional), which is reasonable, but the code will use those environment variables if present. No unrelated credentials or broad system secrets are requested.
Persistence & Privilege: okalways is false, there are no required config paths, and the scripts do not modify other skills or system-wide agent settings. The skill does not request permanent presence or elevated privileges.