Skillv1.0.0

ClawScan security

Stock Market Analyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 19, 2026, 7:20 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code mostly matches its description, but it imports an undocumented, unknown package (kimi_finance) and the package/source provenance is not provided, which is a notable inconsistency and potential risk.
Guidance: This package largely does what it claims, but it relies on an undocumented external module 'kimi_finance' whose source and behavior are not provided. Before installing or running this skill: (1) verify where 'kimi_finance' comes from (PyPI project page, source repo, or vendor) and review its source or documentation; (2) avoid running it on machines with sensitive data until you confirm the dependency is safe; (3) if you plan to install, add an explicit install spec or update requirements to include 'kimi_finance' with a specific version and origin; (4) run the code in a sandbox or container and monitor network traffic to see which endpoints it contacts; (5) prefer skills with a clear homepage, source repo, and declared dependencies. If you can provide the 'kimi_finance' package source or more provenance, I can re-evaluate and likely raise confidence.

Review Dimensions

Purpose & Capability: noteName/description align with the included code (functions for realtime prices, indicators, summaries, portfolio analysis). However, the code depends on an external module named 'kimi_finance' (used to fetch/write data) that is not declared in requirements.txt or SKILL.md and whose origin is unknown — this dependency is integral to the skill but not documented, which is disproportionate to the published metadata.
Instruction Scope: okSKILL.md contains usage examples that match the code (calling query_realtime_price, query_technical_indicators, etc.). The instructions do not ask the agent to read unrelated files, environment variables, or contact unexpected endpoints. The implementation writes temporary CSVs under /tmp and returns their contents; that behavior is within scope but worth noting.
Install Mechanism: noteThere is no install spec (no automatic download/install). A requirements.txt is present listing pandas, requests, numpy but not the critical 'kimi_finance' dependency used by the code. The absence of an install mechanism for that dependency and the lack of a declared package source (PyPI/project homepage) is an inconsistency that increases risk because the skill relies on an undeclared third-party component.
Credentials: noteThe skill declares no required environment variables or credentials, which is reasonable for a read-only market-analysis tool. However, the unknown 'kimi_finance' package could perform network requests or require credentials internally; because its origin and behavior are not visible, it's not possible to confirm that no sensitive data will be accessed or transmitted.
Persistence & Privilege: okThe skill does not request persistent or elevated privileges (always is false, no config paths, no system modifications). It only writes temporary CSV files to /tmp, which is expected for local caching and is within a limited scope.