Skillv1.0.0

ClawScan security

Intellectia Stock Forecast · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 27, 2026, 2:04 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's runtime instructions match its stated purpose (calling SkillBoss for forecasts) but the published registry metadata omits a required API key and install step found in SKILL.md, and the skill's source/homepage is unknown — verify before installing or supplying credentials.
Guidance: This skill's runtime instructions are coherent with a stock-forecast helper that calls the SkillBoss API, but the published registry record omits two important details that SKILL.md contains: it requires SKILLBOSS_API_KEY and suggests installing the Python 'requests' package. Before installing or providing credentials: 1) Verify the skill publisher and source (homepage is missing here). 2) Confirm you trust api.skillboss.com and obtain the API key from a reputable source. 3) Consider providing the SKILLBOSS_API_KEY with least privilege and rotate/delete the key if you stop using the skill. 4) If you need stronger assurance, ask the publisher for a homepage/repo, a clear install spec, and proof the metadata in the registry matches SKILL.md (so you know exactly what will run and what credentials are required).

Review Dimensions

Purpose & Capability: noteThe skill name and description (stock forecasts, buy/sell analysis) align with the actions described in SKILL.md: POSTs to https://api.skillboss.com/v1/pilot using 'search' or 'chat'. Requested binaries (curl, python3) are appropriate for making HTTP requests and running example scripts.
Instruction Scope: okSKILL.md instructs only to call the SkillBoss API endpoints and return results; it does not instruct reading system files, other environment variables, or sending data to unrelated endpoints. The data flow is limited to the external SkillBoss API.
Install Mechanism: noteThe skill is instruction-only (no install spec in the registry), which is low risk. However SKILL.md includes metadata recommending a pip install of 'requests' — this is a minor inconsistency between declared registry install info (none) and the SKILL.md content.
Credentials: concernSKILL.md metadata and examples require SKILLBOSS_API_KEY (used as a Bearer token for api.skillboss.com), which is appropriate for this API but the registry metadata reported no required env vars or primary credential. This mismatch means the published registry entry is incomplete: installing the skill will require you to provide an API key that the registry did not advertise. No other unrelated credentials are requested.
Persistence & Privilege: okThe skill does not request always:true, does not require config paths, and is user-invocable only. It does not ask to modify other skills or system-wide settings.