Polaris
ReviewAudited by ClawScan on May 10, 2026.
Overview
Polaris mostly matches its news and market-data purpose, but its own artifacts contradict the “read-only/no user data” claims by offering alert creation with webhook delivery and sending user queries to its API.
Use this skill cautiously if you only want read-only lookups. Its news and market-data calls appear purpose-aligned, but review the /alerts behavior before allowing the agent to create alerts or use webhook delivery, and avoid entering confidential queries, URLs, portfolio details, or trading strategies unless you are comfortable sending them to The Polaris Report API.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could create remote alert subscriptions or webhook deliveries when using this skill, not just fetch public market data.
This documents a command that can create alerts and trigger webhook delivery, which is a state-changing or ongoing action rather than a simple read-only data lookup.
"description": "Create price or sentiment alerts with webhook delivery", "usage": "/alerts [action] [params]", "examples": ["/alerts list", "/alerts create NVDA price_above 150"]
Treat /alerts as a write/persistence feature. The skill should document alert storage, deletion, webhook destination handling, and require clear user confirmation before creating alerts.
Users may install or allow the skill believing it cannot create anything or cause ongoing deliveries, when the documented command set says otherwise.
The same artifact claims the skill is read-only while also advertising alert actions with webhook delivery, creating a material mismatch in the security description.
- **Read-only**: Only fetches public data. Does not write, modify, or delete anything. ... | `/alerts [action]` | Price/sentiment alerts with webhook delivery |
Correct the security section to disclose all state-changing features, especially alert creation and webhook delivery, or remove/disable those features if the skill is intended to be read-only.
Queries, topics, ticker lists, URLs, or portfolio-style inputs could reveal user interests or investment context to the provider.
User-supplied topics and search queries are sent to the external Polaris API, which is expected for this kind of search/reporting skill but still matters for privacy.
body: JSON.stringify({ topic }) ... const data = await apiFetch(`/api/v1/search?${params}`);Do not enter confidential or private information unless you are comfortable sending it to api.thepolarisreport.com; the publisher should clearly document logging and retention practices.