ClawHub

Fed Agent

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill asks for little access, but the included script does not actually perform the promised live Federal Reserve tracking and appears to hard-code the results.

This skill does not appear to steal data or request sensitive permissions, but its implementation does not match its promise of live, factual Fed tracking. Install or run it only if you are comfortable with a static/demo-style script, and verify any economic data against official Federal Reserve, BLS, or BEA sources before relying on it.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI09: Human-Agent Trust Exploitation
Medium
What this means

A user could treat stale or fabricated-looking hard-coded economic data as current official information.

Why it was flagged

The source labels the data as live from Federal Reserve sources but implements a fixed in-code list. This contradicts SKILL.md's claims that the skill polls public Fed/BLS sources and provides timely factual summaries.

Skill content
# ====== FED DATA (Live from Federal Reserve Sources) ===== ... FED_DATA = [ ... "metric": "Fed Funds Rate", "value": "4.25% - 4.50%" ... ]
Recommendation

Do not rely on this skill for current Fed or inflation facts unless the implementation is updated to fetch and cite live official sources, or the documentation clearly says it is only sample/static data.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

The user cannot verify the referenced helper behavior from the supplied artifacts, and the documentation may describe capabilities that are not actually included.

Why it was flagged

SKILL.md says these helper skills/scripts are used, but they are not present in the provided manifest. The included script does not import them, so this is a provenance/documentation gap rather than evidence of hidden execution.

Skill content
- **poll_polymarket_markets.py** ... - **summarize_news.py** ... - **fetch_econ_data.py**
Recommendation

Treat the missing helpers as unreviewed unless separately provided; the publisher should remove the references or include the files with clear provenance.