finskills-one
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a read-only financial-data skill that uses the Finskills API key as expected, with no evidence of hidden exfiltration, purchases, or destructive behavior in the provided artifacts.
This skill looks appropriate for read-only financial research through Finskills. Before using it, obtain a Finskills API key from the official site, keep the key scoped and private, prefer environment-variable configuration, and run the optional Python helpers only in a trusted virtual environment. Do not provide full payment card numbers; the BIN lookup documentation only needs the first 6–8 digits.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The user may need to provide or configure a Finskills API key, which could affect their account quota, billing, or access if mishandled.
The skill needs a provider API key to function. This is expected for Finskills access, but it is still a credential and is not declared as a primary credential or required environment variable in the registry metadata.
All requests require the `X-API-Key` header. If the user has not provided one, ask for it
Use a dedicated Finskills key with appropriate limits, prefer setting it as `FINSKILLS_API_KEY` rather than pasting it into chat, and avoid sharing unrelated credentials.
If the user installs the optional helper dependencies, they rely on whatever compatible `requests` package version pip resolves in their environment.
The optional helper scripts depend on a broadly versioned PyPI package rather than a pinned, hash-locked dependency. This is common for simple helper scripts, but it is still supply-chain relevant when users run `pip install`.
requests>=2.31
Install optional dependencies in a virtual environment and consider pinning versions or using a lockfile for reproducible installs.