Mortgage Rate Monitor
PassAudited by VirusTotal on May 2, 2026.
Overview
Type: OpenClaw Skill Name: mortgage-rate-monitor Version: 1.4.1 The skill bundle is a standard implementation of a weather briefing tool. The shell scripts in hooks/prepare.sh and hooks/validate.sh perform routine file operations and manifest checks within the local directory without any network activity or sensitive data access. While there is a minor metadata discrepancy between the slug in _meta.json (mortgage-rate-monitor) and SKILL.md (weather-brief), the logic and instructions across all files, including the AI prompt in assets/prompt.txt, are consistent with the stated purpose and show no signs of malicious intent or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may install a package believing it is a mortgage-rate monitor but actually receive a weather briefing skill, making it hard to trust the package identity or version.
The published registry identity and bundled manifest identity do not match, creating a provenance and packaging-integrity concern even though the included code appears simple.
Registry: Name: Mortgage Rate Monitor; Slug: mortgage-rate-monitor; Version: 1.4.1 / SKILL.md: name: weather-brief; slug: weather-brief; version: 0.2.0
Verify the publisher and source, and require the registry name, slug, version, and bundled SKILL.md manifest to match before installing or republishing.
If the hooks are run, they will execute local shell commands and create files under the skill’s build directory.
The package includes shell hooks that can run during preparation or validation, but the reviewed commands are limited to creating a build directory, copying an asset, and validating manifest fields.
entrypoint: hooks/prepare.sh; hooks: prepare: hooks/prepare.sh, validate: hooks/validate.sh / mkdir -p "$OUT_DIR"; cp "$ROOT_DIR/assets/prompt.txt" "$OUT_DIR/prompt.txt"
Review lifecycle scripts before running them and only execute them from a trusted checkout; the provided scripts do not show network, credential, or destructive behavior.