Back to skill
Skillv1.0.2
ClawScan security
trading-plan-generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 18, 2026, 3:13 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions align with its stated purpose: it only needs a Finskills API key and makes the listed API calls to build trade plans; there are no unexpected installs, extra credentials, or unrelated behaviors in the SKILL.md.
- Guidance
- This skill appears coherent and limited to using the Finskills API to generate trade plans. Before installing: (1) Confirm you trust finskills.net (reviews, privacy/terms), since the skill will send symbols and any user-entered account-size/risk data to that API. (2) Keep your FINSKILLS_API_KEY secret and do not reuse sensitive brokerage credentials. (3) The skill generates trade plans but does not execute trades — verify outputs and backtest before acting. (4) The registry metadata lacks an authoritative homepage; if provenance matters, review the linked GitHub repo and the ClawHub download referenced in the README to ensure you trust the source.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md, and README consistently describe fetching quote/history/recommendations from the Finskills API and computing ATR, S/R, and position sizing. The single required env var (FINSKILLS_API_KEY) is appropriate and expected for this purpose.
- Instruction Scope
- okRuntime instructions only ask the agent to collect user-provided trade inputs (symbol, thesis, account size, risk %, horizon) and to call three Finskills endpoints. There are no instructions to read unrelated system files, capture other environment variables, or transmit data to unknown endpoints beyond finskills.net.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files, so nothing is downloaded or written to disk by the skill itself — the lowest-risk install profile.
- Credentials
- noteOnly FINSKILLS_API_KEY is required, which matches the API usage. The skill asks the user to provide account-size and risk %, which are sensitive financial inputs but necessary for position sizing; users should avoid providing brokerage credentials or other secrets (none are requested).
- Persistence & Privilege
- okalways is false and the skill does not request any persistent or elevated privileges. It does not modify other skills or system settings. Autonomous invocation is allowed (platform default) but not combined with other red flags.