Back to skill
Skillv1.0.0
ClawScan security
Chart Master · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 15, 2026, 4:26 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and requirements are consistent with its stated purpose of generating financial charts; nothing requests unrelated credentials or installs arbitrary remote code.
- Guidance
- This skill appears coherent and limited to generating charts. Before installing, confirm you trust the skill source and are okay with the script making outbound requests to Yahoo Finance (yfinance). When running it on a shared agent or server, note that the PNG is written to the current working directory and the script prints the absolute file path (MEDIA: ...), which could appear in logs. Also be aware you'll need to provide the Python dependencies (yfinance, mplfinance, pandas) in the runtime environment. There's a minor bug/quirk: the --volume flag is defined with action='store_true' but default=True, so volume will effectively always be enabled unless you modify the script flags; this is not a security issue but may affect expected output.
Review Dimensions
- Purpose & Capability
- okName/description match the included Python script and SKILL.md. The script only depends on yfinance, mplfinance, and pandas to fetch market data and draw charts; no unrelated binaries, credentials, or config paths are requested.
- Instruction Scope
- noteRuntime instructions tell the agent to run the bundled script which fetches market data via yfinance and writes a PNG to the working directory. This is within scope. Note: the script makes outbound network requests (to Yahoo Finance via yfinance) and prints an absolute path prefixed with 'MEDIA:' to signal the generated image — both are expected for this purpose but worth awareness.
- Install Mechanism
- okNo install spec is present (instruction-only with a bundled script). Dependencies are standard Python packages from public registries; nothing is downloaded from obscure URLs or executed from arbitrary archives.
- Credentials
- okNo environment variables, secrets, or extra credentials are required. The script does not attempt to read other config files or credentials. Dependency access to network-hosted market data is justified by the skill's purpose.
- Persistence & Privilege
- okalways is false and the skill does not request persistent/system-wide privileges or modify other skills. It simply writes an output image to the current working directory.