Skillv1.0.1

ClawScan security

finchain-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 10, 2026, 3:45 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with a FinChain/FUSD-focused information skill: it only references remote FinChain documents and web searches, requests no credentials, and has no install steps or local code to run.
Guidance: This skill is instruction-only and will fetch documentation and data from the FinChain-hosted index, language-specific markdown, the listed official FinChain websites, and a DocSend reserve-proof link; it also may run model web searches for live figures. It does not request any credentials or install software. Consider these points before installing: (1) trustworthiness depends on the remote sources—if those endpoints are compromised the content could be misleading, so verify critical facts (especially any financial figures) against official channels; (2) the skill explicitly forbids inventing APRs, reserve ratios, or providing direct investment advice, but you should still not treat its outputs as financial advice—verify with FinChain support or official docs before acting on financial recommendations; (3) because the skill may fetch live data, avoid submitting sensitive account credentials or private information through the skill. Overall the package is coherent with its stated purpose.

Purpose & Capability: okThe skill claims to provide product facts, yield calculations, risk lookups, and light humour for FinChain/FUSD. Its declared data sources (a hosted index, language-specific markdown, a products registry, official FinChain sites, and a DocSend reserve-proof) are appropriate and proportional to that purpose.
Instruction Scope: okSKILL.md instructs the agent to read a remote index and language-specific docs, consult official FinChain sites for live info, and use web search only when needed. It does not instruct reading unrelated local files, environment variables, or sending data to unknown endpoints. The only notable runtime behavior is network calls to the listed FinChain-hosted URLs and DocSend for reserve proofs, which matches the skill's goal.
Install Mechanism: okNo install spec and no code files are included (instruction-only). Nothing will be downloaded or written to disk by an installer as part of the skill itself.
Credentials: okThe skill requires no environment variables, no credentials, and no config paths. There are no requests for secrets or unrelated service keys, which is proportionate for an informational skill.
Persistence & Privilege: okThe skill does not request always:true and is user-invocable only. It does not ask to modify other skills or system-wide settings.