Back to skill
Skillv1.0.0
ClawScan security
a-stock-investment · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 12:07 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requested environment variable (TAVILY_API_KEY) align with its stated purpose of fetching A‑share market data from the Tavily API; nothing in the package tries to access unrelated credentials or local files.
- Guidance
- This skill appears coherent: it uses the TAVILY_API_KEY to call the Tavily search API and returns results. Before installing, confirm you trust Tavily (review their privacy policy and terms), and be aware that the skill will make network requests whenever invoked. Keep your TAVILY_API_KEY secret and consider using a key with limited scope/quotas. Ensure a compatible Node runtime is available if you run the included script. If you need higher assurance, ask the author for a homepage/source repository or inspect network traffic and API request/response handling in a controlled environment.
Review Dimensions
- Purpose & Capability
- okThe skill is an A‑share market analysis tool that calls the Tavily search API. The only required secret is TAVILY_API_KEY, which is appropriate for calling that external service. No unrelated binaries, paths, or credentials are requested.
- Instruction Scope
- okSKILL.md instructs the agent to run the provided Node script to query Tavily. The script only reads process.env.TAVILY_API_KEY and the provided query/flags, then POSTs to https://api.tavily.com/search and prints returned answer/results. It does not read other environment variables, local files, or exfiltrate additional data.
- Install Mechanism
- okThere is no install spec; this is instruction+script only. The script is a small Node program and does not download or install external code at runtime. No high-risk download/extract URLs are present.
- Credentials
- okOnly a single env var (TAVILY_API_KEY) is required and is used directly to authenticate requests to the Tavily API. The request is proportionate to the skill's purpose.
- Persistence & Privilege
- okThe skill is not always-on, does not request persistent system privileges, and does not modify other skills or system configurations. It will make outbound network calls when invoked (normal for this purpose).