ClawHub
Back to skill
v1.0.0

financial-report-analyzer

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:35 AM.

Analysis

This appears to be a coherent local financial-PDF analyzer; the main cautions are local output/intermediate files despite broad “no data storage” wording and undeclared Python dependencies.

GuidanceInstall only if you are comfortable running the included Python scripts locally. Use a safe working folder, expect generated JSON/TXT/chart/report files to remain there, verify any financial conclusions manually, and install Python dependencies from trusted sources.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
✅ **无数据存储** - 不保存任何用户数据

The privacy statement is broader than the implementation: scripts/extract_pdf.py saves extracted JSON and TXT files containing full PDF text, and other scripts save parsed data, charts, and reports. This is local and aligned with analysis, but users should know files persist.

User impactA user may believe nothing is saved, while local copies of extracted financial-report text and generated analysis can remain on disk.
RecommendationClarify that processing is local but intermediate/output files are saved, document their locations, and provide cleanup or user-selected output-directory guidance.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
SKILL.md
pdfplumber - PDF文本提取
pandas - 数据处理
matplotlib - 图表生成
numpy - 数值计算

The skill depends on common Python packages, but the supplied metadata/install section declares no install spec and no required binaries/dependencies. The dependencies are expected for the purpose, but version/provenance is not pinned by the artifacts.

User impactThe skill may not run until dependencies are installed, and users must choose trusted package sources and versions themselves.
RecommendationDeclare dependency requirements and, if possible, pinned versions or a lockfile; install only from trusted package repositories.