Back to skill
Skillv4.1.0
ClawScan security
Us Treasury Radar · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 7, 2026, 8:43 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and runtime instructions match its stated purpose (fetching and summarizing US Treasury and TIC data); it does not request secrets or contact unexpected endpoints and has no install script, though it relies on the Python requests library which is not declared.
- Guidance
- This package appears coherent and limited to fetching public Treasury/TIC data and producing a report. Before installing: (1) inspect the included radar.py (already present) and confirm network calls are only to treasurydirect.gov (they are), (2) ensure the runtime has Python3 and the 'requests' package installed, (3) run the script in a restricted environment if you want to limit network access while testing, and (4) note the publisher/source is anonymous — if provenance matters to you, prefer packages from known authors or official repositories.
Review Dimensions
- Purpose & Capability
- okName/description (US Treasury data and risk signals) align with the included files and runtime behavior. The code fetches TreasuryDirect endpoints and computes the listed metrics; nothing in the package requests unrelated capabilities.
- Instruction Scope
- okSKILL.md and README instruct only to run the provided Python script and describe data sources (TreasuryDirect and TIC). There are no instructions to read arbitrary local files, export credentials, or send data to third-party endpoints beyond the documented TreasuryDirect URLs.
- Install Mechanism
- noteThere is no install spec (instruction-only + code shipped). This is low risk. One minor operational omission: the script uses the Python requests library but the skill does not declare or install that dependency — users should ensure 'requests' is available in the runtime environment.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. The code does network calls only to treasurydirect.gov, which is proportional to the stated purpose.
- Persistence & Privilege
- okThe skill is not marked always:true, is user-invocable, and does not modify other skills or system settings. It only contains a simple run.sh for optional scheduled execution.