Back to skill
Skillv1.0.1
ClawScan security
finoview-report · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 23, 2026, 8:52 AM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The code and SKILL.md match the described purpose (calling finoview API) but the registry metadata omits the two required credentials (FINOVIEW_API_KEY / FINOVIEW_API_SECRET), an important inconsistency you should address before trusting this skill.
- Guidance
- This skill appears to implement exactly what it says (fetching finoview weekly reports) and the code is straightforward. However, the registry metadata failing to list the two required environment variables is a red flag: verify the skill's origin before providing API credentials. Before installing or using it: (1) confirm the publisher/source or prefer an official release/homepage; (2) do not reuse high-privilege keys — create and restrict a key for this use and rotate it afterwards; (3) set the FINOVIEW_API_KEY and FINOVIEW_API_SECRET only in a constrained environment (process-level or container) rather than system-wide if possible; (4) review the script yourself (it’s short and readable) and test it in an isolated environment to confirm behavior; (5) if you plan to allow autonomous invocation by agents, be extra cautious since missing metadata may cause secrets to be supplied without clear indication.
Review Dimensions
- Purpose & Capability
- concernThe skill's name, description, SKILL.md, and the included Python code all consistently implement calls to finoview.com's report_list API — capability matches purpose. However, the registry metadata claims 'Required env vars: none' and 'Primary credential: none' while both the instructions and code require FINOVIEW_API_KEY and FINOVIEW_API_SECRET. This metadata omission is an important mismatch.
- Instruction Scope
- okSKILL.md and scripts/api_call.py limit actions to reading two environment variables and making HTTPS POST requests to https://www.finoview.com.cn/autoApi/foreign/report_list, then formatting results. The instructions do not request unrelated files, other credentials, or exfiltration to unexpected endpoints.
- Install Mechanism
- okNo install specification is provided (instruction-only with a single helper script). No downloads, package installs, or archive extraction are present — low install risk.
- Credentials
- concernThe code legitimately requires two secrets (FINOVIEW_API_KEY and FINOVIEW_API_SECRET) to call the API, which is proportional to the stated purpose. The concern is that the skill metadata does not declare these required env vars or a primary credential, making it easy for users or automated systems to miss that secrets are needed and supplied to the skill.
- Persistence & Privilege
- okThe skill does not request 'always: true' and does not modify other skills or system settings. It runs on demand and can be invoked by the agent normally.