Skillv1.0.1

ClawScan security

us-stock-analyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 18, 2026, 2:43 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with an API-driven stock analysis tool; the only notable issue is a metadata mismatch about required credentials in the registry vs. SKILL.md.
Guidance: This skill appears to do what it says: fetch data from finskills.net and produce financial analyses. Before installing, verify the following: (1) Confirm the registry metadata vs SKILL.md discrepancy — ensure the platform will prompt for FINSKILLS_API_KEY at install/runtime. (2) Use an API key with least privilege and billing limits (create a dedicated key for the skill, not a broad account key). (3) Review the upstream repo (https://github.com/finskills/us-stock-analyzer) for any code changes or hidden behavior before trusting a packaged version. (4) Test by running the skill with a throwaway key or limited quota and monitor network calls to finskills.net. (5) Check the Finskills API terms and what data the provider logs or shares (privacy/billing). If you find additional required env vars, unexpected endpoints, or included code files that perform disk/network operations, re-evaluate — those would raise the risk to 'suspicious'.

Purpose & Capability: okThe name/description match the runtime instructions: all data is fetched from the Finskills API and used to compute financial scores and valuations. The declared required credential (FINSKILLS_API_KEY) in SKILL.md is appropriate for the stated purpose. The main inconsistency is registry metadata claiming no required env vars while SKILL.md explicitly requires an API key.
Instruction Scope: okSKILL.md only instructs the agent to call Finskills endpoints and compute financial metrics. It does not direct the agent to read local files, other environment variables, or to send data to third-party endpoints outside finskills.net. The analysis workflow is narrow and well-scoped to the stated purpose.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files — lowest-risk install surface. There are no downloads or archive extracts described.
Credentials: noteSKILL.md requires a single API key (FINSKILLS_API_KEY), which is proportionate to a service that calls an external API. However, the registry metadata omitted required env vars, creating an incoherence that should be resolved before trusting the package listing.
Persistence & Privilege: okThe skill does not request always:true and has no install-time persistence instructions. It does not ask to modify other skills or system-wide settings.