v1.1.1

Clawback

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:14 AM.

Analysis

This skill appears purpose-aligned, but it can store broker credentials, place real-money trades automatically, and run as a background service, so it needs careful review before installation.

GuidanceTreat this as a high-impact autonomous trading tool, not a simple information tracker. Start in E*TRADE sandbox mode, keep conservative position limits, protect the saved config file, avoid daemon mode until you know how to stop it, and only enable production trading if you are comfortable with the bot placing real orders.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

`/clawback run` | Start trading bot: Execute `{baseDir}/bin/clawback.py run` ... `executes scaled positions in your E*TRADE brokerage account`

The skill is designed to turn an agent command into automated broker execution, which can place financial trades from the user's account.

User impactIf configured for production, invoking the bot can cause real purchases or sales in the user's brokerage account.

RecommendationUse sandbox mode first, review all configuration and risk limits, and avoid production trading unless you explicitly want autonomous broker execution.

Rogue Agents

SeverityHighConfidenceHighStatusConcern

SKILL.md

`/clawback daemon` | Run as background service ... `Disclosure Checks | 10:00, 14:00, 18:00 ET`

The artifacts document a background service mode and scheduled checks, meaning the skill can keep operating after the initial command.

User impactA background process could continue monitoring disclosures and triggering trades unless the user knows how to stop it.

RecommendationDo not enable daemon/background mode until you understand how it is installed, monitored, stopped, and prevented from trading unexpectedly.

Cascading Failures

SeverityMediumConfidenceHighStatusConcern

README.md

`Real-time disclosure tracking` from official House Clerk and Senate eFD sources ... `Automated trade execution` via E*TRADE API

The workflow connects externally parsed disclosure data directly to trading execution, so bad data, parsing mistakes, or misconfiguration could propagate into broker actions.

User impactIncorrect or misunderstood disclosure data could lead to unwanted trades or losses.

RecommendationPrefer dry-run or sandbox operation, review parsed disclosures before live execution, and keep conservative trade limits.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

SKILL.md

Check if `{baseDir}/venv` exists. If not, run: `cd {baseDir} && python3 -m venv venv && source venv/bin/activate && pip install -e .`

Setup runs local Python packaging commands. This is normal for a Python CLI skill, but it executes package installation logic from the skill directory.

User impactRunning setup executes local install code and installs dependencies in a virtual environment.

RecommendationOnly run setup after deciding you trust the skill source and reviewing the package contents appropriate to your risk tolerance.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

SKILL.md

Create/update `~/.clawback/config.json` ... `credentials`: { `apiKey`: `<consumer_key>`, `apiSecret`: `<consumer_secret>` } ... `production` (real money)

The skill needs broker credentials and account access for its stated purpose, but these credentials are sensitive and enable high-impact account actions.

User impactAnyone or any process with access to the saved configuration may gain information needed to interact with the brokerage integration.

RecommendationUse least-privilege broker credentials if available, protect `~/.clawback/config.json`, avoid sharing logs/config files, and revoke keys if uninstalling.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceMediumStatusNote

SKILL.md

`notifications`: { `telegram`: { `enabled`: true, `useOpenClaw`: true } }

The default setup enables Telegram/OpenClaw notification integration, which may send trade-related events outside the local machine.

User impactTrade alerts or operational details may be sent through an external notification channel.

RecommendationDisable Telegram notifications or review exactly what is sent if trading activity is private.