Back to skill
Skillv1.0.0
ClawScan security
mar-fundamental-stock-analysis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 24, 2026, 5:48 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements, instructions, and included playbook are internally consistent with a fundamentals-based stock analysis tool and do not ask for unrelated credentials or elevated system access.
- Guidance
- This skill appears coherent and low-risk: it only contains instructions and a playbook for public-data analysis and doesn't ask for credentials or install code. Before installing, confirm the agent platform enforces browsing scope (so the skill can't cause broad web crawling or exfiltrate data), and remember outputs are informational — do not treat them as investment advice. If you rely on paywalled data or private APIs, expect metrics to be marked NA. If you want extra safety, run the skill with web access turned off or review its first output interactively to verify it follows the documented source hierarchy.
Review Dimensions
- Purpose & Capability
- okName/description (fundamental equity analysis and peer ranking) match the skill content: an instruction-only playbook that prescribes data collection, screening, scoring, and output formatting. There are no unrelated environment variables, binaries, or install steps requested.
- Instruction Scope
- noteThe SKILL.md and playbook narrowly constrain activity to ticker-relevant web retrieval (filings, fundamentals, reputable aggregators, and news) and explicitly forbid requesting secrets, local file discovery, command execution, or arbitrary URL exploration. This is coherent, but the skill relies on the agent's web-retrieval capability — if the host platform's browsing tooling is permissive, it could still fetch arbitrary URLs unless the platform enforces the documented restrictions.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — nothing is written to disk or downloaded by the skill itself.
- Credentials
- okThe skill requests no environment variables, credentials, or config-path access. The playbook explicitly disallows handling secrets; requested access (public financial data & news) is proportionate to the stated purpose.
- Persistence & Privilege
- okalways is false and the skill does not request any persistent system-level changes or cross-skill config modifications. It is user-invocable and may be called autonomously by the agent (platform default), which is expected for this kind of skill.