Skillv1.0.3

ClawScan security

canslim-analysis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 18, 2026, 2:09 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and resource requirements align with its stated purpose (local CANSLIM pipeline that fetches public market data, enriches with AI, and emits JSON/PDF reports); nothing requests unrelated credentials or hidden endpoints.
Guidance: This package appears internally consistent with its stated purpose. Before running it: (1) Review Scripts/quantitative_analyzer.py if you want to confirm there are no unexpected subprocess invocations or remote endpoints beyond Wikipedia and yfinance; (2) run inside an isolated Python virtual environment as instructed (the skill writes log and output files to the working directory); (3) note that the AI enrichment step is performed by the agent (SKILL.md instructs the agent to read intermediate_canslim.json and add AI_Qualitative_Checks) — if you prefer not to allow the agent to access those files or perform enrichment automatically, perform the enrichment manually or restrict autonomous invocation; (4) no credentials are requested, but the code does make outbound HTTPS requests for public market data (internet access required). If you need higher assurance, run the scripts in a sandbox and inspect the full, untruncated final_process.py for any use of subprocess or external command execution before granting broad agent execution rights.
Findings: [pre-scan-injection-signals-none] expected: No pre-scan injection signals were detected. This is consistent with the code being included and straightforward.

Review Dimensions

Purpose & Capability: okName/description (CANSLIM hybrid analysis) match the included Python scripts and requirements: quantitative screening (yfinance, pandas), report generation (reportlab), and an AI enrichment step described in SKILL.md. The declared no-env-vars / no-binaries requirement is proportional.
Instruction Scope: okSKILL.md gives concrete steps: create venv, pip install requirements.txt, run quantitative_analyzer.py, have the agent perform AI enrichment on intermediate_canslim.json, run final_process.py to produce outputs. The instructions do not ask the agent to read unrelated system files or secrets. The AI enrichment step is intentionally delegated to the agent (no separate implemented enrichment script), which matches the skill design.
Install Mechanism: okNo automated install spec is present (instruction-only install via venv + pip -r Scripts/requirements.txt). Dependencies are standard packages from PyPI and the requirements file is included and pinned; nothing is downloaded from arbitrary URLs or executed from untrusted hosts.
Credentials: okThe skill requests no environment variables or credentials. The code performs only public-data network requests (Wikipedia for S&P tickers, Yahoo Finance via yfinance). There are no hardcoded secret keys or unrelated service tokens.
Persistence & Privilege: okThe skill does not request always:true and does not attempt to modify other skills or global agent configuration. It writes outputs and a local log file (canslim_analysis.log) and creates Scripts/out/ for PDFs — typical for a reporting pipeline.