Mortgage Rate Monitor
AdvisoryAudited by Static analysis on May 2, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may install a package believing it is a mortgage-rate monitor but actually receive a weather briefing skill, making it hard to trust the package identity or version.
The published registry identity and bundled manifest identity do not match, creating a provenance and packaging-integrity concern even though the included code appears simple.
Registry: Name: Mortgage Rate Monitor; Slug: mortgage-rate-monitor; Version: 1.4.1 / SKILL.md: name: weather-brief; slug: weather-brief; version: 0.2.0
Verify the publisher and source, and require the registry name, slug, version, and bundled SKILL.md manifest to match before installing or republishing.
If the hooks are run, they will execute local shell commands and create files under the skill’s build directory.
The package includes shell hooks that can run during preparation or validation, but the reviewed commands are limited to creating a build directory, copying an asset, and validating manifest fields.
entrypoint: hooks/prepare.sh; hooks: prepare: hooks/prepare.sh, validate: hooks/validate.sh / mkdir -p "$OUT_DIR"; cp "$ROOT_DIR/assets/prompt.txt" "$OUT_DIR/prompt.txt"
Review lifecycle scripts before running them and only execute them from a trusted checkout; the provided scripts do not show network, credential, or destructive behavior.