Financial Analytics Pro
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The visible code looks like a local financial-file analyzer, but the skill advertises broad bank, accounting, investment, and compliance integrations without declared credentials, scoped permissions, or matching implementation files.
Install only if you intend to use it as a local financial-file analysis helper. Avoid connecting real bank, accounting, brokerage, crypto, or e-commerce accounts until the developer provides reviewed integration code, explicit credential scopes, privacy handling, and revocation instructions. Run any dependencies in an isolated environment and protect generated reports because they may contain sensitive financial data.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could be led to connect sensitive financial accounts without knowing what access is required, how credentials are handled, or how to limit/revoke permissions.
These features imply high-impact access to financial accounts, accounting systems, and investments. The supplied metadata declares no primary credential, required environment variables, or capability tags, and the artifacts do not define credential scopes, consent flow, or token handling.
"Bank API Connections": Connect to Plaid, Yodlee, or direct bank APIs ... "Accounting Software": QuickBooks, Xero, FreshBooks integration ... "Investment Accounts": Brokerage, crypto, retirement accounts
Do not connect live bank, brokerage, accounting, or e-commerce accounts unless the developer provides explicit credential declarations, OAuth/scoping details, revocation instructions, and a reviewed implementation.
Users may overtrust the skill for compliance-grade reporting, tax optimization, or account integrations that are not actually evidenced in the package.
The advertised templates and integration modules are not present in the provided file manifest, which includes only one analyzer script plus sample/reference files. This makes the capability and compliance claims appear overstated relative to the reviewed artifacts.
"Regulatory Compliance": GAAP/IFRS compliant reporting templates ... File Structure ... scripts/financial_integration.py ... templates/income_statement_template.html ... investor_presentation.pptx
Treat this as an unverified local analysis helper only. The developer should align the documentation with the shipped files, remove unsupported claims, and add clear financial/compliance disclaimers.
Manual unpinned installs can lead to dependency confusion, unexpected version changes, or broader local environment impact.
The skill asks users to install several unpinned third-party packages manually, including financial data and bank-integration libraries. This is expected for the stated purpose, but there is no install spec, lockfile, or version pinning in the artifacts.
pip install pandas numpy matplotlib seaborn plotly scipy scikit-learn yfinance plaid-python python-dotenv
Install only in a virtual environment, pin package versions, and prefer a reviewed lockfile or install spec from the developer.
If pointed at sensitive files or output locations, the tool can create local reports containing private business or personal financial data.
The included script reads user-specified financial files and writes user-specified report/chart outputs. This is purpose-aligned and user-directed, but it can process and persist sensitive financial information.
parser.add_argument('file' ...); pd.read_csv(filepath); pd.read_excel(filepath); open(output_file, 'w'); plt.savefig(f'{output_dir}/revenue_vs_expenses.png'Use only selected input files, review output paths before writing, and store generated reports in a protected location.