Back to skill
Skillv1.0.6
ClawScan security
Gprophet Api · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 8:54 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (AI stock predictions) aligns with its instructions and only requests a single API key (GPROPHET_API_KEY); nothing in the files suggests hidden or unrelated access.
- Guidance
- This skill appears coherent: it simply documents how to call an external G-Prophet API and requires one API key. Before installing, use a test/limited-scope API key (not a production account), set strict quotas/billing alerts, and monitor usage. Be cautious when using callback_url — only supply endpoints you control or trust to avoid leaking analysis data. Do not share or commit your API key; rotate/revoke it if compromised. If you need stronger assurance, verify the homepage and service documentation, and consider creating an account with minimal points/permissions for evaluation.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md, README, and _meta.json consistently document an external HTTP API for stock prediction and analysis. The only required credential is an API key (GPROPHET_API_KEY) which matches the described authentication (X-API-Key). There are no unrelated binaries, config paths, or credentials requested.
- Instruction Scope
- noteSKILL.md gives concrete HTTP endpoints and examples and instructs the agent to supply the API key via header or environment variable. It also documents webhook/callback support and an example MCP server entry; be aware that using callback_url will cause the service to POST results to arbitrary URLs — only provide trusted callback endpoints. Otherwise instructions stay within the stated purpose and do not ask the agent to read unrelated files or secrets.
- Install Mechanism
- okThis is instruction-only (no install spec, no code files executed). That is low risk: nothing will be downloaded or written to disk by an installer.
- Credentials
- noteOnly a single environment variable (GPROPHET_API_KEY) is required, which is proportionate for an external API. However the API key carries billing/authorization power and should be treated as sensitive — use test/limited keys for evaluation, apply quotas, and monitor usage.
- Persistence & Privilege
- okThe skill is not always:true and does not request persistent system-wide privileges or other skills' config. It does not modify agent settings according to the provided materials.