ClawHub

finskills-one

Security checks across malware telemetry and agentic risk

Overview

This appears to be a read-only financial-data skill that uses the Finskills API key as expected, with no evidence of hidden exfiltration, purchases, or destructive behavior in the provided artifacts.

This skill looks appropriate for read-only financial research through Finskills. Before using it, obtain a Finskills API key from the official site, keep the key scoped and private, prefer environment-variable configuration, and run the optional Python helpers only in a trusted virtual environment. Do not provide full payment card numbers; the BIN lookup documentation only needs the first 6–8 digits.

VirusTotal

2/66 vendors flagged this skill as malicious, and 64/66 flagged it as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI03: Identity and Privilege Abuse
Low
What this means

The user may need to provide or configure a Finskills API key, which could affect their account quota, billing, or access if mishandled.

Why it was flagged

The skill needs a provider API key to function. This is expected for Finskills access, but it is still a credential and is not declared as a primary credential or required environment variable in the registry metadata.

Skill content
All requests require the `X-API-Key` header. If the user has not provided one, ask for it
Recommendation

Use a dedicated Finskills key with appropriate limits, prefer setting it as `FINSKILLS_API_KEY` rather than pasting it into chat, and avoid sharing unrelated credentials.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

If the user installs the optional helper dependencies, they rely on whatever compatible `requests` package version pip resolves in their environment.

Why it was flagged

The optional helper scripts depend on a broadly versioned PyPI package rather than a pinned, hash-locked dependency. This is common for simple helper scripts, but it is still supply-chain relevant when users run `pip install`.

Skill content
requests>=2.31
Recommendation

Install optional dependencies in a virtual environment and consider pinning versions or using a lockfile for reproducible installs.