Skillv0.1.0

ClawScan security

Mfapi · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 1, 2026, 12:20 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill queries the public MFapi.in REST API for mutual fund NAVs, uses curl/jq or the included Python helper, requires no credentials, and its required behaviors are consistent with its stated purpose.
Guidance: This skill appears to do exactly what it says: query the public MFapi.in service for mutual fund NAVs. It requires curl and jq (or Python 3 to run the included script) and does not ask for any API keys. Things to consider before installing: (1) the included script will download and cache the full scheme list (~37k records) to /tmp/mfapi-schemes.json — this consumes bandwidth and disk space and the file may be world-readable on multi-user systems (the data itself is public). (2) There are no rate-limit guarantees from the API; avoid automated high-frequency polling to prevent abuse. (3) Ensure curl/jq/python are installed from trusted sources. Overall the components, instructions, and file access are coherent with the stated purpose.

Purpose & Capability: okName/description (query MFapi.in for NAVs/scheme info) match the requested binaries (curl, jq) and the included Python script. There are no unrelated credentials, binaries, or config paths requested; everything requested is proportionate to the stated functionality.
Instruction Scope: noteSKILL.md instructs the agent to call https://api.mfapi.in and to use curl/jq or the provided Python script. The Python script downloads the full scheme list (~37k entries) and caches it in /tmp/mfapi-schemes.json (auto-refresh after 24h or on cache-miss). This is within scope but note the large cached download and that the script writes to /tmp.
Install Mechanism: okNo install spec is provided (instruction-only). Examples use system packages (curl, jq) and the included Python script uses only the Python standard library. There are no external archive downloads or opaque install steps.
Credentials: okNo environment variables or credentials are required. The script only communicates with api.mfapi.in and does not request unrelated secrets or access to other services.
Persistence & Privilege: noteThe skill is not always-enabled and uses normal autonomous invocation defaults. It creates a local cache at /tmp/mfapi-schemes.json which is ephemeral but world-readable on many systems; this is expected for caching public data but worth noting on multi-user systems.