Skillv1.1.0

ClawScan security

Stock Quote · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 1, 2026, 1:31 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is coherent with its stated purpose (fetching stock quotes) and only contacts public finance endpoints; there are no unexplained credentials, installs, or file accesses, though some wording about “real-time” vs. delayed sources and use of web-scraping/demo keys is imprecise.
Guidance: This skill is internally consistent for getting stock quotes, but consider the following before installing: - Network exposures: it sends queried ticker symbols to third-party services (stooq, Yahoo/yfinance, FMP). Don’t use it with private or sensitive symbols you don’t want transmitted publicly. - Data latency: the default/source order includes Stooq (EOD/delayed); if you need true intraday real-time data, use a paid real-time provider and update the skill accordingly. - Demo key & scraping: the script uses a hardcoded FMP 'demo' key and a simple HTML regex for Yahoo — these are fragile and rate-limited; expect occasional failures. If you rely on this in production, pin dependency versions, consider adding caching/rate-limiting, and possibly swap to a paid API with credentials stored securely. - Dependency safety: the skill recommends pip-installing yfinance/requests from PyPI. Audit or pin package versions if you require stricter supply-chain controls. If you only need occasional public quotes, this skill is appropriate; if you need high-privacy, guaranteed real-time data, or production SLAs, review and modify the code and data sources before use.

Review Dimensions

Purpose & Capability: noteName/description claim 'real-time' prices but the default source (Stooq) is delayed EOD data; yfinance and web scraping are available but behavior/latency differs by source. Otherwise the requested capabilities (price/fundamentals) match the included code and data sources.
Instruction Scope: okSKILL.md instructs the agent to run the bundled Python CLI and shows examples. The runtime instructions and the script limit actions to fetching data from public finance APIs and formatting output; they do not read arbitrary system files or require undeclared env vars. Example references to updating MEMORY.md/HEARTBEAT.md are illustrative and not implemented in the provided script.
Install Mechanism: okNo install spec in the registry (instruction-only). The skill includes a Python script and recommends installing yfinance (and requests as fallback) via pip — standard, expected for Python utilities. No downloads from unknown URLs or extract/install steps are present.
Credentials: okThe skill requires no environment variables or credentials. It uses public endpoints (stooq.com, finance.yahoo.com, financialmodelingprep.com) and FMP's hardcoded 'demo' key; no secret exfiltration or unrelated credentials are requested.
Persistence & Privilege: okSkill is not always-enabled, does not request system-level persistence, and the code does not modify other skills or agent-wide configs. Autonomous invocation is permitted (platform default) but not combined with other concerning privileges here.