Back to skill
Skillv1.0.2
ClawScan security
portfolio-manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 18, 2026, 4:03 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose, required credential (FINSKILLS_API_KEY), and runtime instructions are internally consistent: it is an instruction-only portfolio analyzer that calls Finskills market endpoints and does not request unrelated permissions or installs.
- Guidance
- This skill appears coherent and low-risk as shipped (instruction-only, needs only a Finskills API key). Before installing or using it: 1) Verify finskills.net (and any linked GitHub repo) are trustworthy and review their privacy/billing terms — confirm whether sending holdings or any personal data is logged or stored by their API. 2) Create an API key with minimal scope and monitor usage/billing (Pro plan may incur charges or higher rate limits). 3) Avoid pasting sensitive personal identifiers in holdings input (the skill only needs tickers, counts, and optional cost basis). 4) Note the README mentions downloading a zip from ClawHub — if you later install that package, review the code before running it because installable code could introduce new risks. 5) If you do not want the agent to call the skill autonomously, adjust agent skill-invocation settings or require explicit user consent before the skill runs.
Review Dimensions
- Purpose & Capability
- okName/description (portfolio monitoring & rebalancing) align with required env var (FINSKILLS_API_KEY) and the listed API endpoints. Nothing in the metadata asks for unrelated cloud keys, binaries, or system paths.
- Instruction Scope
- noteSKILL.md gives precise API calls to finskills.net and local computations for valuation, risk, and rebalancing. It does not instruct reading arbitrary files, scanning the system, or sending user environment data beyond using the API key. Note: the workflow requires the agent to receive the user's holdings (tickers, shares, cost basis) as input — those holdings would be processed locally but tickers are used to query the external Finskills endpoints. Confirm you are comfortable that ticker lists (and any cost-basis or holding size you provide) will be handled as external input to the skill's runtime.
- Install Mechanism
- okNo install spec and no bundled code — instruction-only. This is lower risk because nothing is downloaded or written to disk by the skill itself.
- Credentials
- okOnly a single API key (FINSKILLS_API_KEY) is required, which is proportionate to the declared external API usage. The SKILL.md and README consistently reference this key and do not attempt to access other environment variables or system credentials.
- Persistence & Privilege
- okalways is false and there are no requested config paths or system modifications. The skill can be invoked autonomously by the agent (platform default), which is expected for a skill of this type.