Skillv1.0.0

ClawScan security

Trump Tback · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 7, 2026, 7:12 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and runtime instructions match the stated purpose (Trump/T-Back sentiment and momentum analysis); it requests no credentials and contains only local Python analysis plus optional market-data fetches — nothing appears disproportionate or hidden.
Guidance: This skill appears coherent for analyzing Trump posts and market momentum. Before installing or running: 1) Confirm you run it in a controlled environment (virtualenv or sandbox) because it executes Python code and may install dependencies. 2) Expect network activity if you call get_market_data() (yfinance) or add external data-source code (the README mentions Truth Social); review any added fetch functions before supplying API keys. 3) The SKILL.md examples use a hard-coded workspace path — adapt commands to your environment. 4) No credentials are requested by the packaged code, but if you integrate real social APIs you will need to provide keys — only provide those to code you trust. If you want extra assurance, review requirements.txt (not included here) and run the code in an isolated container first.

Review Dimensions

Purpose & Capability: okThe name/description (Trump T-Back sentiment/momentum analysis) align with the included Python modules (mood_analyzer.py, cross_platform_analyzer.py) and README. The code implements text scoring, cross-platform resonance and viral momentum calculations, which is consistent with the skill's stated goal. Minor inconsistency: SKILL.md metadata declares a required binary 'python3' while the registry metadata at the top listed no required binaries; this is a small metadata mismatch (python3 is reasonable for a Python skill).
Instruction Scope: noteSKILL.md instructs running the provided Python modules to analyze posts and includes example commands. The instructions reference an absolute workspace path (/home/gem/workspace/agent/workspace/trump_mood_dashboard) which will not exist on every host — this is an operational assumption, not an exfiltration vector. The code performs network I/O when market data is fetched (yfinance) but does not embed any hidden remote endpoints or credential exfiltration. No instructions ask the agent to read unrelated system files or secrets.
Install Mechanism: okThere is no install spec in the registry (instruction-only); included README suggests using pip to install requirements. No downloads from arbitrary URLs or archive extraction are present. The lack of a formal install step means the code would run using the agent's existing Python environment — ensure dependencies (yfinance, streamlit, etc.) are installed before running.
Credentials: okThe skill requests no environment variables or credentials. The code has optional network calls (yfinance) and the README suggests adding external data sources (e.g., Truth Social) which, if implemented later, would require API credentials. As-is, there are no secret-requiring behaviors in the provided files.
Persistence & Privilege: okalways is false and the skill does not request persistent or privileged host modifications. It doesn't modify other skills or system-wide agent settings. Autonomous invocation is allowed by default (not flagged) but not combined with other concerning privileges.