SEC Filings
PassAudited by ClawScan on May 14, 2026.
Overview
This skill appears benign and only queries a Lovelace-hosted SEC filings API, but users should know their company/ticker search terms are sent to that external service.
This skill is reasonable to install if you are comfortable with Lovelace receiving your SEC filing search terms. Do not include private or confidential information in queries, and ensure generated curl requests safely encode user-provided values.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A poorly escaped company name or ticker could cause a failed request or unintended shell parsing in a naive execution path, though the artifacts do not show destructive or privileged commands.
The skill relies on curl and a user-provided entity value to form requests. This is expected for the stated purpose, but user input should be encoded safely when constructing shell commands or URLs.
Use `curl` to call the endpoint below. Server runs at `https://labs.lovelace.ai/sec/api`. Every request requires `entity`
Use the skill only for user-requested filing lookups and ensure the entity and filter values are URL-encoded rather than inserted into shell commands as raw text.
The external service can receive the company names, tickers, CIKs, dates, and filing filters you ask about.
Queries are sent to a Lovelace-hosted API rather than directly to SEC.gov. This is disclosed and purpose-aligned, and no credentials or local sensitive data are requested.
Server runs at `https://labs.lovelace.ai/sec/api`
Avoid including confidential context in filing queries and review the linked Lovelace terms if external service logging or retention matters to you.