Back to skill
Skillv1.0.0
ClawScan security
Data 912 Market Data · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 18, 2026, 12:55 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and instructions match its stated purpose of querying Data912's public market API; no credentials, installs, or suspicious behaviors are present, though the SKILL.md assumes curl/jq availability which isn't declared.
- Guidance
- This skill appears to do what it says: query Data912's public endpoints and summarize results. Before installing, note: (1) the SKILL.md examples use curl and jq but the skill metadata does not declare those binaries — ensure your agent environment provides them or the skill may fail; (2) Data912 documents the data as educational/non-real-time and has rate limits (≈120 req/min, and Cloudflare caching), so treat outputs as indicative, not live market prices; (3) all network requests go to https://data912.com, so avoid embedding any secrets or personal credentials in queries; and (4) do not rely on this for financial or trading decisions. If you need stronger guarantees about data provenance or latency, prefer an authenticated/official market data provider.
Review Dimensions
- Purpose & Capability
- okName and description describe querying Data912 market endpoints and the included OpenAPI and SKILL.md map directly to that purpose. The endpoints and data fields documented are consistent with a market-data retrieval skill.
- Instruction Scope
- noteSKILL.md instructs the agent to fetch JSON from https://data912.com using `curl -s` and parse with `jq`, perform retries/backoff, validate tickers, and summarize results. These instructions stay within the declared purpose (data retrieval and presentation). Minor inconsistency: the skill declares no required binaries, yet runtime examples assume curl and jq are available; the agent environment must provide those tools or the instructions should use an alternative HTTP/json mechanism.
- Install Mechanism
- okNo install spec and no code files — instruction-only. That minimizes disk/write risk. The included OpenAPI spec is a local reference file; it does not introduce an install step.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The API is documented as public/no-auth, so no secrets are required or requested.
- Persistence & Privilege
- okalways:false and default autonomous invocation are in place. The skill does not request elevated persistence or modify other skills' config. This is the normal level of privilege for a query-only skill.