Back to skill
Skillv1.3.0
ClawScan security
investoday-sector-research-interpretation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 28, 2026, 7:04 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose, its runtime instructions, and its declared dependency on the investoday-finance-data tool are consistent and proportionate — it only describes using that tool's entity-recognition and research/sentiment APIs and requests no extra system access or credentials.
- Guidance
- This skill appears internally consistent and low-risk by itself. Before installing or enabling it for production use, review the investoday-finance-data skill it depends on (that skill will handle API keys and network access). Confirm that the underlying data skill's install, env vars, and storage/privacy behavior match your security requirements, and test with non-sensitive queries to verify the promise '不记录、不存储用户的查询记录' is honored in practice. If you need auditability, request logs or telemetry controls from the deployer of the investoday-finance-data tool.
Review Dimensions
- Purpose & Capability
- okThe skill claims to produce structured sector/theme research summaries and explicitly delegates data access to the investoday-finance-data skill. All required operations (entity recognition, research/sentiment calls) are declared and match the stated purpose; there are no unrelated environment variables, binaries, or config paths requested.
- Instruction Scope
- okSKILL.md provides a clear 4-step analysis flow and specifies exact toolIDs and parameters (entity-recognition; research/sentiment with 90-day window). It does not instruct the agent to read local files, system state, or arbitrary environment variables, nor to transmit data to endpoints outside the declared tool. It also includes evidence and output constraints (e.g., at least 2 evidence sources, no stock-level recommendations).
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files, so nothing is written to disk or downloaded by the skill itself. That minimizes install-time risk.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. All API access is routed through the investoday-finance-data skill; any credential needs would arise from that dependent skill, not this one.
- Persistence & Privilege
- okalways:false and user-invocable:true. The skill does not request permanent presence or modification of other skills or system-wide settings. There is no instruction to persist or cache user queries beyond a declarative privacy note in the doc.