Finance Lite (Beta): Daily Macro + Market Move Brief
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is broadly consistent with a finance-market briefing tool, with disclosed use of a finance API key, local Node/curl execution, network requests, and small local cache/watchlist files.
Before installing, confirm you are comfortable running the bundled Node script, providing a Finnhub API key, making outbound requests to finance/news providers, and storing a local market-data cache and watchlist. No artifact-backed malicious behavior is evident.
Static analysis
Static analysis findings are pending for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You will need to provide a finance-data API key, which may be tied to your provider account and usage limits.
The skill requires or accepts provider API keys. This is expected for a finance-data integration, and the visible artifacts do not show hardcoded keys, credential logging, or unrelated credential use.
Required environment variable: `FINNHUB_API_KEY` ... Optional environment variable: `NASDAQ_DATALINK_API_KEY`
Use a provider key with the minimum needed access, avoid sharing it in chats or logs, and rotate it if you suspect exposure.
Invoking the skill runs its bundled JavaScript locally and may call external finance services.
The skill is designed to dispatch local Node commands through exec. This is disclosed and central to the tool’s purpose, not hidden or unrelated.
command-tool: exec ... `brief` → `node ./scripts/finance_lite/brief.mjs brief`
Install only if you are comfortable with the listed local commands being run for finance-brief requests.
The install UI may not warn you that the skill needs local tools and an API key until you read SKILL.md or run it.
The registry metadata under-declares prerequisites that SKILL.md and the visible code disclose, including FINNHUB_API_KEY and node/curl. This is a packaging/metadata gap rather than evidence of hidden behavior.
Required binaries (all must exist): none ... Required env vars: none ... Primary credential: none
Review SKILL.md before use and ensure Node, curl, and the intended API keys are configured intentionally.
Future summaries may depend on cached data or a modified local watchlist, and the watchlist may reveal tickers you follow on the local machine.
The skill persists market data cache and watchlist state locally. This is disclosed and scoped, but persisted data can influence later brief outputs.
The tool writes local cache under `./scripts/finance_lite/.cache/` ... `add/remove` commands modify bundled `./scripts/finance_lite/watchlist.json`.
Periodically review or delete the skill’s .cache directory and watchlist.json if you want a fresh state or do not want those tickers stored locally.