financial-report
PassAudited by VirusTotal on May 3, 2026.
Overview
Type: OpenClaw Skill Name: financial-report Version: 1.0.0 The skill bundle provides a legitimate financial analysis and visualization tool. The SKILL.md file contains standard instructions for an AI agent to retrieve financial data and generate reports, while the scripts/financial-analyzer.html file provides a local, interactive dashboard using Chart.js for data visualization. No evidence of data exfiltration, malicious execution, or prompt injection was found; the code operates entirely on user-provided or knowledge-base data without unauthorized network calls. The external links to a 'Pro version' (keto.bh-jk.com) and the platform's CLI installation instructions in the README.md are consistent with the tool's stated purpose as a utility.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the CDN or dependency were compromised, code running in the browser page could potentially access data typed into the tool.
The local HTML visualization tool depends on a third-party CDN script for chart rendering. This is purpose-aligned, but users entering financial data should know remote JavaScript will run in the page.
<script src="https://cdn.jsdelivr.net/npm/chart.js@4.4.4/dist/chart.umd.min.js"></script>
Use the tool with public or non-sensitive data unless you trust the CDN dependency; a safer version would bundle the library locally or use subresource integrity.
A user may click through to an external site assuming it is affiliated with the skill, even though the artifacts do not establish that relationship.
The HTML tool contains upgrade links to an external domain that is not explained in the registry metadata or homepage. The README also describes this as professional-version promotion.
<a href="https://keto.bh-jk.com" target="_blank" class="pro-badge">🔓 解锁专业版</a>
Treat the upgrade link as an external marketing site; do not enter payment, credentials, or sensitive information unless you independently trust the domain.