ClawHub
Back to skill
v1.0.0

Economic Calendar Fetcher Zc

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:24 AM.

Analysis

The skill appears to do what it claims—fetch FMP economic calendar data—but users should handle the required FMP API key carefully and note minor packaging metadata inconsistencies.

GuidanceThis looks like a straightforward economic calendar API helper. Before installing, confirm the publisher/version because the packaged metadata differs from the registry, and provide only an FMP API key you are comfortable letting the agent use for this specific service.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
_meta.json
"slug": "economic-calendar-fetcher", "version": "0.1.0"

The packaged metadata differs from the supplied registry identity, which names the skill as economic-calendar-fetcher-zc version 1.0.0 with a different owner ID. This is a provenance/version consistency issue, not evidence of malicious runtime behavior.

User impactIt may be harder for a user to confirm exactly which package version or publisher they are installing.
RecommendationVerify the publisher and package version before relying on the skill, and ask the maintainer to reconcile the packaged _meta.json with the registry metadata.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
First check if FMP_API_KEY environment variable is set ... If not available, ask user to provide API key via chat

The skill requires an FMP API key for its intended API access. This is purpose-aligned, but it is a credential the agent may receive or read from the environment, while the registry metadata lists no primary credential or required env vars.

User impactThe agent can use the user's FMP API key and may consume the user's API quota; sharing the key in chat or command-line arguments can expose it more than necessary.
RecommendationUse a limited-purpose FMP key, prefer a secure environment variable or secret store over pasting the key into chat, and rotate the key if it is accidentally exposed.