ClawHub
Back to skill
v1.0.0

Investment Browser SEC Scraper

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:00 AM.

Analysis

This is a coherent instruction-only SEC reporting skill with no executable code, though it may browse SEC pages and create persistent report documents such as Google Sheets.

GuidanceBefore installing, be aware that the skill is just instructions for an agent: it may browse SEC EDGAR, produce PDF or Google Sheet reports, and send links. Approve any document creation or sharing, and verify all financial metrics against the original SEC filing before relying on them.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL 2.md
1. Browser → sec.gov/edgar → "[TICKER]" latest 10-Q ... 4. PDF report + Google Sheet
5. Envía links al usuario

The skill directs the agent to use web browsing and document-output tools. These actions fit the SEC scraper/report purpose, but they should remain tied to a user-provided ticker and reviewed before links are sent.

User impactThe agent may visit SEC web pages and create report files or links on the user’s behalf.
RecommendationConfirm the ticker, filing source, and any file/link creation before relying on or sharing the report.
Human-Agent Trust Exploitation
SeverityInfoConfidenceHighStatusNote
SKILL.md
## **TSLA Q3 2025 EXECUTED DEMO** (4 archivos generados):


undefined

The artifact presents an executed demo claim, but the demo section is incomplete and shows an undefined placeholder. This is not malicious behavior, but it could overstate the reliability or completeness of the financial analysis.

User impactUsers could place too much trust in the sample financial outputs or assume the report generation has been validated.
RecommendationTreat generated financial metrics as draft analysis and verify them against the original SEC filing before making investment decisions.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceMediumStatusNote
SKILL 2.md
4. PDF report + Google Sheet

Creating a Google Sheet may require access to the user’s Google account or workspace. This is purpose-aligned for report generation, but the artifacts do not define which account, folder, or sharing permissions should be used.

User impactIf the agent has Google document tools connected, it could create a spreadsheet in the user’s account.
RecommendationUse an intended account and folder, and approve sharing settings before any Google Sheet link is sent.