Skillv1.0.0

ClawScan security

dabai/finance-news-brief · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 13, 2026, 1:26 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and instructions are consistent with its stated purpose (collect recent financial news, produce Markdown and a PDF); it requires no credentials and its only notable runtime behavior is converting Markdown → HTML → PDF using a bundled Python script that may install Python packages and launch a local headless Chrome instance.
Guidance: This skill appears coherent and implements exactly what it advertises: collect news via WebSearch, produce a Markdown brief with links, and convert it to a styled PDF using the included script. Before installing/using it, consider: (1) the bundled Python script will attempt to pip-install missing packages (network access to PyPI) — run it in a virtualenv or isolated environment if you don't want packages added to your system Python; (2) the script launches a headless Chrome and opens a localhost debug port — ensure Chrome is installed and be comfortable with a local process briefly listening on 127.0.0.1; (3) review the generate_pdf.py source (included) if you have workplace policies about running third-party scripts. If you want stronger isolation, execute the PDF step manually or inside a container/VM.

Review Dimensions

Purpose & Capability: okThe skill says it will gather recent financial news and produce Markdown + PDF. The SKILL.md instructs the agent to use a WebSearch tool to collect links and create a Markdown report, and the repo includes a PDF-generation script and HTML template to render the Markdown. The presence of the PDF-generation script and template is appropriate and proportionate.
Instruction Scope: okSKILL.md confines runtime actions to using a WebSearch tool to find news, assemble summaries with source links, save a Markdown file, and run the included Python script to generate a PDF. It does not instruct reading unrelated system files, asking for credentials, or sending data to external endpoints beyond WebSearch results. It does instruct running local commands (python script) and using a WebSearch tool, which matches the skill's purpose.
Install Mechanism: noteNo external install spec is declared (instruction-only), but the bundled scripts/generate_pdf.py will attempt to pip-install Python packages (e.g., 'markdown', and later the user's environment may need weasyprint if used) at runtime if missing. That implies network access to PyPI and execution of installer code in the user's environment. The script also launches a local headless Chrome and implements a raw DevTools WebSocket handshake to control printing. These behaviors are functional for PDF generation but worth noting because they perform runtime package installation and spawn a browser process.
Credentials: okThe skill declares no required environment variables, no credentials, and no config paths. The actions in SKILL.md and the script do not require secrets. Runtime operations are limited to local file writes, starting a localhost HTTP server, launching Chrome, and contacting localhost for DevTools — all proportionate to PDF generation.
Persistence & Privilege: okThe skill does not request persistent/always-on presence and does not modify other skills or system-wide agent settings. It runs only when invoked and writes output files to user-specified or current directories. It launches transient processes (HTTP server, Chrome) without claiming elevated privileges.