Back to skill
Skillv1.0.0
ClawScan security
money-flow · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 17, 2026, 7:53 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only skill that describes how to analyze money-flow and related indicators; its requirements and instructions are consistent with that purpose and it doesn't request credentials, installs, or system access.
- Guidance
- This skill is an instructional template for funds-flow analysis and appears internally consistent. Before installing or using it in an agent: (1) confirm where market data will come from — the skill does not supply data sources, so the agent may call external APIs (which could require API keys); (2) if the agent will fetch data, verify which endpoints and credentials will be used and ensure they are trustworthy; (3) test the skill in a sandboxed agent run to observe any network calls; (4) avoid providing unrelated secrets or system access to the skill. If you need the skill to fetch live data, prefer a version that declares its data sources and required env vars explicitly.
Review Dimensions
- Purpose & Capability
- okName, description and content all describe a market funds-flow analysis framework (DDX/DDI, volume-price rules, practical steps). The skill is instruction-only and does not request unrelated binaries, credentials, or config paths — this is proportionate to the stated purpose.
- Instruction Scope
- noteThe SKILL.md cleanly describes indicators and a 4-step workflow. It does not instruct reading user files or other system state. One small omission: it doesn't specify where or how market data (tick/trade/volume data) should be obtained; in practice the agent or integrator must supply data sources or APIs, and that is when credentials or network calls may be introduced.
- Install Mechanism
- okNo install spec and no code files — lowest-risk instruction-only skill. Nothing is written to disk or downloaded by the skill itself.
- Credentials
- okThe skill does not require environment variables, API keys, or access to other services in its metadata. There are no requested secrets or config paths that would be disproportionate to a funds-flow analysis guide.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. Autonomous invocation is allowed (platform default) but not combined with broad privileges or credentials, so there is no unusual persistence or privilege request.