Skillv1.0.0

ClawScan security

Mutual Fund Evaluator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 6, 2026, 12:29 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and runtime instructions are internally consistent with a mutual-fund-evaluation documentation/tooling skill and do not request unrelated credentials or install code, but the package is purely documentation (no code) from an unknown source and omits auth details for the external APIs it references.
Guidance: This skill is documentation-only (no install or executable code) and appears coherent for evaluating mutual funds. Before using it: 1) Verify the API provider (toolweb.in) and whether an API key/account is required — the skill's docs list paid plans but do not show auth details. 2) Do not send real personally identifiable or sensitive financial data to the referenced endpoints until you confirm the provider, TLS, and privacy policy. 3) Treat any recommendations as informational (not regulated financial advice); cross-check outputs with independent sources. 4) If you plan to integrate the skill into an agent that performs web requests, review network traffic and restrict what user data the agent may send to external services.

Review Dimensions

Purpose & Capability: noteThe name/description (Indian mutual-fund evaluation using web search and profiling) aligns with the provided API docs and example request/response. Minor inconsistency: the SKILL.md mentions web-search integration and lists external API endpoints/pricing (toolweb.in) but does not declare any required credentials or explain how paid plans/auth are handled — plausible for a documentation-only skill but could be an omission.
Instruction Scope: okSKILL.md contains only API documentation, sample request/response, and endpoint descriptions. There are no instructions to read local files, system environment variables, or to transmit unrelated local data. It does not instruct the agent to access unrelated system resources.
Install Mechanism: okNo install spec and no code files beyond docs/OpenAPI. That is low risk — nothing would be written to disk or executed by an automatic installer.
Credentials: noteThe skill requests no environment variables or credentials (none declared). That is proportionate for a documentation-only skill, but the included pricing and API host references imply a hosted service that likely requires API keys in practice — the omission of any authentication details could be an oversight and warrants verification before sending real investor data to the referenced endpoints.
Persistence & Privilege: okalways is false and the skill does not request persistent privileges or claim to modify other skills or system settings. Autonomous invocation (default) is allowed but unremarkable for this type of skill.