Back to skill
Skillv1.0.0
ClawScan security
Skills Public · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 8, 2026, 9:21 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, instructions, and runtime behavior are consistent with a simple stock-quote lookup helper that issues web searches for real-time data and does not request credentials or install software.
- Guidance
- This skill is coherent and lightweight: it builds a web-search query for the agent to fetch stock quotes and does not ask for credentials or install code. Before enabling it, consider that it requires the agent to perform network searches (so results depend on the agent's web access and search tool); some data sources (e.g., certain US quotes) may be delayed as noted. The SKILL.md includes a hard-coded example path for manual invocation — that’s informational and may not match your environment. If you operate in a restricted environment, confirm you are comfortable allowing the agent web access for live data; otherwise the skill is low-risk.
Review Dimensions
- Purpose & Capability
- okName/description (stock quote lookup) match the SKILL.md and the included script: both describe identifying a symbol and obtaining realtime data via web search or public stock APIs. Required resources and declared metadata are minimal and appropriate for this purpose.
- Instruction Scope
- okRuntime instructions ask the agent to identify a symbol and perform network searches to fetch quotes. The provided script only formats a search query and outputs a JSON 'web_search' action (it does not itself fetch remote data or read other system files). SKILL.md contains an example absolute path to the script (for manual invocation) — that's a usability note rather than a security requirement.
- Install Mechanism
- okNo install spec; this is an instruction-only skill with a small helper script. Nothing is downloaded or written to disk by an installer, which minimizes installation risk.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. The referenced APIs (Sina, Tencent) are public and the SKILL.md notes that some sources do not require API keys; no unexplained secrets are requested.
- Persistence & Privilege
- okalways is false and the skill does not request elevated or persistent system privileges. disable-model-invocation is false (agent can call it autonomously), which is the platform default and expected for this kind of skill.