fintech-specialist
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly a coherent fintech reference, but a bundled example file is flagged as containing a hardcoded client secret, which needs review before use.
Review the example file for real secrets before installing or using this skill. If any credential is real, rotate it immediately and replace it with an environment-variable placeholder. Treat the payment and crypto examples as educational only, and use sandbox/test accounts unless you have explicit approval for production financial actions.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If adapted carelessly, the example code could interact with real payment systems or financial records.
The reference material demonstrates payment API integration and payment-processing logic. This is aligned with a fintech specialist skill, but these patterns are high-impact if a user copies and runs them with live credentials.
const stripe = new Stripe(config.stripe.secretKey, ...); ... async processPayment(request: any)
Use examples only with test credentials and explicit human review before any production payment, transfer, or account mutation.
If the redacted value is a real secret, anyone with the skill package could misuse or leak access to an associated service or account.
The static scan reports this as a hardcoded API secret or token. A reference-only fintech skill should not include real credential material, and the metadata declares no required credentials.
clientSecret: [REDACTED],
Inspect references/examples.md before installing or sharing, remove any real secrets, rotate/revoke exposed credentials, and replace literals with environment-variable placeholders.