Skillv2.1.0

ClawScan security

Investment Risk Scanner (Buffett + Porter Framework) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 2:20 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, requirements, and behavior are internally consistent with an investment risk‑analysis helper and do not request unrelated credentials, installs, or system access.
Guidance: This skill appears coherent and low‑risk: it provides frameworks and numeric thresholds for investment risk analysis and does not request credentials or install code. Before using it in production, verify where the agent will obtain live financial data (which data sources/APIs it will call), confirm you do not supply any brokerage or cloud credentials, and treat the tool as decision‑support (not professional financial advice). If you want the skill to fetch live market data, ask the author to list the data sources/APIs it uses so you can validate their trustworthiness.

Review Dimensions

Purpose & Capability: okName/description (Buffett + Porter risk analysis) matches the SKILL.md content: checklists, thresholds, and case examples are all appropriate for an investment risk scanner. There are no unexpected credential or binary requirements.
Instruction Scope: okSKILL.md contains a detailed, self‑contained methodology (five Buffett layers + Porter's Five Forces) and does not instruct the agent to read arbitrary local files, access unrelated environment variables, or send data to external endpoints. The guidance is prescriptive rather than open‑ended.
Install Mechanism: okInstruction‑only skill with no install spec and no code files — nothing is written to disk and no external packages or downloads are required.
Credentials: okThe skill declares no environment variables, credentials, or config paths. The checks and thresholds in SKILL.md do not imply any hidden need for additional secrets or system access.
Persistence & Privilege: okalways is false and the skill is user‑invocable. It does not request permanent platform presence or modify other skills/configuration.