Back to skill
Skillv1.0.1
ClawScan security
macro-regime-detector · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 18, 2026, 3:45 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and runtime instructions are coherent with its stated purpose: it only needs a FINSKILLS_API_KEY and instructs the agent to call Finskills API endpoints to produce a macro regime report.
- Guidance
- This skill appears internally consistent, but before installing: 1) verify the publisher and the GitHub repo referenced in SKILL.md to ensure the skill and API are legitimate; 2) confirm you trust finskills.net (review their privacy policy and what the API logs); 3) treat the FINSKILLS_API_KEY like any secret — use a key with minimal permissions, rotate it regularly, and do not reuse it elsewhere; 4) note the skill will make outbound network calls to finskills.net — if you need stricter controls, restrict autonomous invocation or sandbox the skill; and 5) if you want extra assurance, ask the publisher for the source code or an install spec so you can audit network payloads and confirm no unexpected data is sent.
Review Dimensions
- Purpose & Capability
- noteThe name/description, required env var (FINSKILLS_API_KEY), and runtime instructions all align: the skill fetches macro data from finskills.net and classifies regimes. Minor metadata inconsistency: registry metadata earlier listed no homepage, but SKILL.md includes a GitHub homepage and finskills.net links — recommend verifying the publisher and repo before trusting the API key.
- Instruction Scope
- okSKILL.md only instructs GET requests to finskills.net free-tier endpoints and local computation (spreads, trends, scoring). It does not instruct reading local files, other environment variables, or exfiltrating data to unrelated endpoints.
- Install Mechanism
- okInstruction-only skill with no install spec or code files; nothing is downloaded or written to disk by the skill itself according to the provided metadata.
- Credentials
- okOnly a single API key (FINSKILLS_API_KEY) is required and it directly maps to the declared external service (Finskills). No unrelated secrets, config paths, or broad credential requests are present.
- Persistence & Privilege
- okalways is false and there is no install step that modifies other skills or system configuration. Autonomous invocation is allowed (platform default) but not combined with broad access or other red flags.