Back to skill
Skillv1.0.0
ClawScan security
Financial Health Check Analyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 19, 2026, 2:40 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, tests, and SKILL.md are coherent with the stated descriptive financial-analysis purpose and do not request unrelated credentials, installs, or network access.
- Guidance
- This skill appears internally consistent and descriptive only. Before installing, consider: (1) confirm you trust the source/author since source is unknown; (2) avoid pasting highly sensitive account numbers or full bank statements into the skill (the code processes text and that data may be logged/stored by the platform); (3) review platform data-handling/privacy policies to understand where user inputs are recorded; (4) run the included tests in a sandbox if you want to validate behavior locally; (5) note minor implementation details (simple regex-based amount detection and a broad exception clause) that could mis-parse some inputs — outputs are informational and not a substitute for professional financial advice.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md, and handler.py align: the code parses user text, detects amounts/dates/keywords, and returns structured recommendations/templates. No unrelated resources, binaries, or credentials are requested.
- Instruction Scope
- okSKILL.md promises a non-executing, non-networking descriptive skill — handler.py follows that: it only reads provided user input, performs local regex parsing/logic, and returns JSON. It does not read files, access environment variables, or call external endpoints.
- Install Mechanism
- okNo install spec or external downloads. This is effectively an instruction-only skill with small included code (handler.py) and tests; nothing is written to disk by an installer or pulled from remote sources.
- Credentials
- okSkill declares no required environment variables or credentials and the code does not access secrets or external services. The requested environment access is minimal and proportionate to its stated purpose.
- Persistence & Privilege
- okalways is false and the skill does not attempt to persist configuration or modify other skills. Autonomous invocation is allowed by platform default but is not combined here with elevated privileges or broad credential access.