Skillv1.0.2

ClawScan security

Daily Stock Analysis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 28, 2026, 7:54 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, runtime instructions, and requested resources are consistent with a local report-generation daily stock-analysis tool; nothing significant or disproportionate is requested or installed.
Guidance: This skill appears internally consistent with its stated purpose. Before installing/running: (1) choose an appropriate working_directory you control (reports and migrations operate only inside that directory); (2) be aware that the agent will fetch market data from web sources (Yahoo Finance, exchange sites, search queries) as part of normal operation — ensure you are comfortable granting the agent network access for that; (3) the bundled Python scripts are local and avoid symlinks and files outside the workdir, but review/mirror the scripts if you need to audit behavior; (4) migrations accept absolute paths but will refuse files outside the workdir, so only allow migration of files you trust; (5) no secrets or cloud credentials are required by the skill. If you want extra assurance, run the scripts manually on a sample workdir first to verify outputs and behavior.

Purpose & Capability: okThe name/description (daily stock analysis and rolling accuracy) matches the included Python utilities and supporting reference docs. No unexpected credentials, system paths, or unrelated binaries are required.
Instruction Scope: noteInstructions restrict file reads/writes to the declared working_directory and the scripts enforce this (realpath checks, no symlink following, filename regex). However, the SKILL.md expects the agent to gather external market data (Yahoo Finance, exchange filings, etc.) via web queries — which is appropriate for its purpose but means the agent will perform network calls outside the local scripts. This is an intended behavior, not hidden I/O; verify you are comfortable with the agent's web access for data collection.
Install Mechanism: okThere is no install spec (instruction-only with bundled Python scripts). No remote downloads or third-party installers are invoked by the skill itself.
Credentials: okThe skill requires no environment variables, credentials, or external config paths. All data access and migration operations are constrained to a user-provided working_directory.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills or system-wide settings, and only persists report files under the canonical reports directory inside the specified working_directory. Migration requires explicit user confirmation per instructions.