Back to skill
Skillv1.0.1
ClawScan security
MoltStreet Sectors · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 11:25 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and instructions are consistent with its stated purpose — it simply fetches sector summaries from moltstreet.com via curl and formats them; no extra credentials, installs, or file access are requested.
- Guidance
- This skill appears internally consistent: it makes unauthenticated HTTPS GET calls to moltstreet.com and formats the returned analyst-consensus fields. Before installing, verify you trust moltstreet.com (check the homepage and the linked repository), understand that outputs are AI-generated (not financial advice), and confirm you’re comfortable allowing the agent to make outbound network calls to that domain. If you require higher assurance, review the repository (https://github.com/fredxyt/moltstreet) and the site’s privacy/disclaimer pages to confirm data handling and accuracy claims.
Review Dimensions
- Purpose & Capability
- okName/description promise (sector ETF signals) matches the manifest and SKILL.md which call moltstreet.com API endpoints for ticker summaries and related context. Requiring curl is proportionate for HTTP GET calls.
- Instruction Scope
- okSKILL.md instructs only to perform GETs against https://moltstreet.com/api/v1/ticker-summary/:symbol and to format the returned fields into a sector-rotation view. It does not instruct reading local files, environment variables, or contacting other endpoints.
- Install Mechanism
- okNo install spec or code is included; this is instruction-only. That minimizes on-disk code risk. The only runtime dependency declared is curl, which is appropriate for the documented curl examples.
- Credentials
- okThe skill requests no environment variables, no credentials, and no config paths. Public API endpoints are used without auth, matching the 'Free, no API key' description.
- Persistence & Privilege
- okalways is false (default) and there are no install scripts or requests to modify other skills or system settings. The skill can be invoked autonomously by agents (default behavior) but that is not combined with other red flags here.