Skillv1.0.1

ClawScan security

commodity-macro-signal · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 18, 2026, 3:48 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is an instruction-only commodity/macro analysis wrapper around the Finskills API and its declared requirements and runtime instructions are consistent with that purpose, though provenance and minor metadata mismatches merit caution.
Guidance: This skill appears internally consistent: it only needs a FINSKILLS_API_KEY and calls finskills.net endpoints to compute commodity-based macro signals. Before installing, verify the external services and repository: 1) Confirm finskills.net and the referenced GitHub/ClawHub pages are legitimate and match the owner you expect; review their privacy/security docs and API key scope. 2) Note small metadata inconsistencies (registry version 1.0.1 vs SKILL.md 1.0.2 and missing registry homepage) — these are usually benign but worth checking the upstream repo. 3) Use a least-privilege or test API key first (no other credentials should be provided). 4) If you will run any downloaded code (README mentions a zip), inspect it before execution. If you need higher assurance, request the upstream GitHub source or publisher provenance before trusting the skill with sensitive or production API keys.

Review Dimensions

Purpose & Capability: okName/description match the actual behavior: all runtime actions are API calls to finskills.net to fetch commodity prices/history and derive macro signals. The single required credential (FINSKILLS_API_KEY) is appropriate and expected for that purpose; no unrelated binaries, credentials, or system access are requested.
Instruction Scope: okSKILL.md contains explicit API calls and a clear analysis workflow (trend windows, ratios, cycle classification). Instructions do not ask the agent to read local files, inspect unrelated environment variables, or exfiltrate system data. It does direct network requests to external endpoints (finskills.net and links to clawhub/github), which is expected for this skill but something to verify before trusting the external service.
Install Mechanism: okNo install spec or code files are included (instruction-only), so nothing is written to disk by the skill itself. README mentions downloading a zip from ClawHub, but that is informational — there is no automated install action in the registry metadata.
Credentials: okOnly one secret is requested (FINSKILLS_API_KEY) and it is the primary credential used to call the finskills API. The number and type of env vars are proportionate to the stated functionality.
Persistence & Privilege: okSkill does not request always:true or any elevated persistence. It is user-invocable and allows normal autonomous invocation; no configuration of other skills or system settings is performed.