ClawHub
Back to skill
v0.1.2

Ipo Alert

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:28 AM.

Analysis

This skill appears to do what it says: fetch public IPO/listing schedules, print alerts, and keep a small local state file to avoid duplicates.

GuidanceBefore installing, confirm you are comfortable with the script periodically contacting 38.co.kr and writing ~/.config/ipo-alert/state.json. No credentials are required; review any heartbeat or cron setup so it only runs as often as you intend.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityInfoConfidenceHighStatusNote
check_ipo.py
result = subprocess.run(["curl", "-s", url], capture_output=True)

The script executes the local curl binary to fetch web pages. The URL sources are fixed to the disclosed 38.co.kr IPO data source, making this purpose-aligned rather than suspicious.

User impactRunning the skill will contact 38.co.kr to retrieve IPO and listing information.
RecommendationUse it only if you are comfortable with periodic requests to 38.co.kr; keep the fetch targets fixed and review any future changes to command arguments.
Rogue Agents
SeverityLowConfidenceHighStatusNote
SKILL.md
On each heartbeat:
1. Run `python3 <skill_dir>/check_ipo.py daily`

The documentation suggests optional recurring execution through heartbeat or cron. This is disclosed and aligned with an alerting skill, but users should recognize it enables ongoing automated checks.

User impactIf configured, the skill may run periodically and produce alerts without a fresh manual command each time.
RecommendationReview the heartbeat or cron schedule before enabling it, and choose a cadence that matches how often you want IPO alerts.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
check_ipo.py
STATE_FILE = Path.home() / ".config/ipo-alert/state.json"

The script stores notification state in a persistent local file so it can suppress duplicate alerts across runs.

User impactThe skill will retain a small record of previously notified IPO/listing items and last check time on your machine.
RecommendationDelete ~/.config/ipo-alert/state.json if you want to reset notification history; avoid manually inserting untrusted content into this state file.