Skillv1.0.0

ClawScan security

public-company-analysis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 27, 2026, 12:42 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requested actions, lack of installs/credentials, and instructions are coherent with its stated purpose (producing a real-time, structured equity research report), though it requires web access and comes from an unknown source so verify provenance before trusting outputs.
Guidance: This skill appears to do what it claims: produce a structured, data-driven company report using live public sources. Before installing, consider: (1) provenance — the skill author and homepage are unknown, so treat outputs as unvetted and validate important figures against primary filings (SEC/EDGAR, company IR); (2) web access — the skill depends on real-time web searches and scraping public sites (including social media/forums), so if you prefer to avoid external network activity, don't enable it; (3) model limitations — DCFs and valuations depend heavily on assumptions (growth, WACC, terminal rate) so verify assumptions and sensitivity ranges manually; (4) privacy — the skill does not request credentials or read local files, so there is low risk of secret exfiltration. If you rely on paid data (Bloomberg) or proprietary APIs, expect incomplete results unless you provide authorized access via the platform's approved connectors.

Review Dimensions

Purpose & Capability: okName/description align with the runtime instructions: the SKILL.md describes producing company overviews, DCFs, technicals, and sentiment and asks the agent to fetch real-time market data and public filings. The actions requested (web search, data aggregation, valuation calculations) are appropriate for a stock-analysis skill and there are no unrelated credentials, binaries, or config paths required.
Instruction Scope: noteInstructions are explicit and narrowly focused on public market data, financials, filings, and public sentiment sources (Yahoo, SEC/EDGAR, company IR, forums). They require internet access and scraping/aggregation of public content (including forum posts and social media). This is expected but worth noting: the skill does not ask for or instruct reading local files or private credentials, but results depend on real-time web access and correct source attribution.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest-risk installation footprint. Nothing is downloaded or written to disk by the skill itself according to the metadata.
Credentials: okNo environment variables, credentials, or config paths are required. The requested data sources are public and consistent with the stated purpose. There are no disproportionate secret requests.
Persistence & Privilege: okSkill is not forced-always-present (always: false) and does not request system-wide changes. Autonomous invocation is allowed by default but that is platform behavior; nothing in the skill requests elevated persistence or modification of other skills.