ClawHub
Back to skill
v1.0.0

US Stock Financials

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:00 AM.

Analysis

This appears to be a coherent SEC financial-data tool, with caution needed for its global Python package install guidance and its fallback to unverified HTTPS fetching.

GuidanceThis skill is reasonable for fetching public SEC financial data. Before installing, use a Python virtual environment instead of a global --break-system-packages install, and be aware that the script should not use unverified HTTPS for financial data integrity.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
scripts/sec_finance.py
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
...
for ctx_factory in (_secure_ctx, _fallback_insecure_ctx):

The script first tries a normal TLS context, then falls back to a context that disables certificate and hostname verification when fetching SEC data.

User impactIf a network attacker or misconfigured proxy is present, downloaded financial data could be tampered with without the script detecting it.
RecommendationPrefer removing the insecure TLS fallback, or require an explicit user option before allowing unverified HTTPS.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
reportlab (PDF生成): `pip3 install reportlab --break-system-packages`

The documented optional dependency install is unpinned and uses --break-system-packages, which can modify the global Python environment.

User impactInstalling this way may affect system Python packages and relies on the current PyPI package version at install time.
RecommendationInstall dependencies in a virtual environment and pin trusted package versions where possible.