Back to skill
Skillv1.1.11
ClawScan security
Stanley Druckenmiller Workflow · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 27, 2026, 1:11 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and optional dependencies are consistent with a market-analysis / briefing workflow and do not request unrelated credentials or system privileges.
- Guidance
- This skill appears coherent for producing macro morning briefs and related modes. Before installing or running it: 1) be aware it performs outbound network requests to public data providers (Yahoo, Stooq, FRED proxies, optional finshare/akshare); ensure that network access is acceptable for your environment. 2) The skill writes cache files by default into the skill directory (.runtime/market-snapshots); do not set STANLEY_RUNTIME_DIR to a sensitive system path. 3) Optional dependencies (finshare, akshare) can be installed to improve coverage; review those third-party packages and their auth requirements before installing. 4) If you supply a FRED API key, limit its scope and treat it as a secret. 5) Run the skill in a sandbox or with limited privileges if you want to audit its network behavior first. Overall, the skill implements what it claims and does not request unrelated credentials or hidden privileges.
Review Dimensions
- Purpose & Capability
- okThe skill claims to be a macro-to-execution market workflow and the included code (market_panels.py), README, and reference docs implement data fetching, panel construction, and evidence protocols for U.S. and A-share markets. Data sources and libraries (Yahoo, Stooq, FRED proxies, AkShare, optional finshare) align with the stated purpose; nothing requested or present appears unrelated to producing market briefs.
- Instruction Scope
- noteSKILL.md constrains output style and evidence rules and does not instruct the agent to read unrelated system files. The code will perform network requests to public data endpoints and may write cache files under the skill directory (.runtime/market-snapshots). SKILL.md and README reference optional environment variables (FINSHARE_MODE, FRED_API_KEY, STANLEY_RUNTIME_DIR) and the code honors them; these are reasonable for data-source selection and runtime path override but should be noted (see guidance).
- Install Mechanism
- okThere is no install spec bundled with the skill. README suggests optional pip installs (finshare, akshare) for additional data coverage; that is a normal, low-risk developer instruction. The skill itself does not download or execute arbitrary archives or external installers.
- Credentials
- noteThe skill declares no required env vars or credentials. The README and SKILL.md reference optional env vars (FINSHARE_MODE, FRED_API_KEY, STANLEY_RUNTIME_DIR). Requiring a FRED API key is proportional to improved macro-series quality; FINSHARE_MODE toggles optional behavior. The runtime-dir override allows writing cache anywhere if the user sets STANLEY_RUNTIME_DIR — reasonable but worth caution. No unrelated secrets or cross-service tokens are requested.
- Persistence & Privilege
- okalways:false and no platform-level persistence is requested. The code writes runtime cache inside the skill folder by default; that is scoped and reversible. The only elevated behavior is the ability to change the runtime path via STANLEY_RUNTIME_DIR if explicitly set by the user—this is a user-controlled option, not automatic.