FRED-Navigator
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly a coherent FRED data helper, but its query script weakens HTTPS certificate verification while using an API key.
Review the SSL override before installing or using the helper script. If you proceed, remove that override, install dependencies in an isolated environment, pin package versions where possible, and use a dedicated FRED API key.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A network attacker or misconfigured proxy could potentially intercept the FRED API key or tamper with returned economic data.
The script globally replaces Python's default HTTPS context before using fredapi, which can weaken certificate verification for outbound FRED API requests.
ssl._create_default_https_context = ssl._create_stdlib_context
Remove the SSL context override and fix certificate issues by updating the system CA store or configuring trusted certificates explicitly.
The skill needs access to a FRED API key to make provider requests, even though the registry metadata does not declare a primary credential.
The helper requires and uses a FRED API key from the environment; this is purpose-aligned, but users should know a credential is involved.
api_key = os.getenv("FRED_API_KEY") ... return Fred(api_key=api_key)Use a dedicated FRED API key with minimal account impact and avoid placing it in shared logs, notebooks, or shell history.
Installing the skill could pull updated dependency versions with different behavior or vulnerabilities.
The Python dependencies are unpinned, so future installs may resolve to different package versions than the reviewed artifacts expect.
fredapi pandas
Pin dependency versions and, for higher assurance, use a lockfile or trusted package mirror.