Economic Calendar Fetcher Zc
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears to do what it claims—fetch FMP economic calendar data—but users should handle the required FMP API key carefully and note minor packaging metadata inconsistencies.
This looks like a straightforward economic calendar API helper. Before installing, confirm the publisher/version because the packaged metadata differs from the registry, and provide only an FMP API key you are comfortable letting the agent use for this specific service.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can use the user's FMP API key and may consume the user's API quota; sharing the key in chat or command-line arguments can expose it more than necessary.
The skill requires an FMP API key for its intended API access. This is purpose-aligned, but it is a credential the agent may receive or read from the environment, while the registry metadata lists no primary credential or required env vars.
First check if FMP_API_KEY environment variable is set ... If not available, ask user to provide API key via chat
Use a limited-purpose FMP key, prefer a secure environment variable or secret store over pasting the key into chat, and rotate the key if it is accidentally exposed.
It may be harder for a user to confirm exactly which package version or publisher they are installing.
The packaged metadata differs from the supplied registry identity, which names the skill as economic-calendar-fetcher-zc version 1.0.0 with a different owner ID. This is a provenance/version consistency issue, not evidence of malicious runtime behavior.
"slug": "economic-calendar-fetcher", "version": "0.1.0"
Verify the publisher and package version before relying on the skill, and ask the maintainer to reconcile the packaged _meta.json with the registry metadata.