Back to skill
Skillv1.0.0
ClawScan security
trading212 Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 15, 2026, 8:07 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, requirements, and environment variables are coherent with its stated purpose (Trading212 portfolio analysis and trade execution); nothing in the bundle indicates hidden endpoints or unrelated credential requests.
- Guidance
- This skill appears to do what it says: portfolio analysis, trade proposals, and order placement via Trading212. Before installing: 1) Keep TRADING212_DEMO=true (paper trading) until you have tested and reviewed behavior; only set TRADING212_DEMO=false when you intentionally want live trades. 2) Review and control the .env file in the project root — it will be loaded into the process and may contain other secrets. 3) Provide only the Trading212 API key/secret to this skill; do not reuse highly privileged credentials. 4) Inspect the config/ files (rules.yaml, watchlist.yaml, allocation.yaml) to understand automated proposal rules. 5) Install Python dependencies from a trusted environment (pip install -r requirements.txt) and review the code if you plan to grant the skill the ability to place live orders or permit autonomous agent invocation.
Review Dimensions
- Purpose & Capability
- okName/description match code and required items. The skill requires Trading212 API key/secret and Python, implements portfolio summary, proposal generation, and order placement via the Trading212 REST API (demo/live endpoints). Required env vars and declared binaries are proportionate to the stated functionality.
- Instruction Scope
- noteSKILL.md and scripts instruct running pip install -r requirements.txt and running the provided Python scripts. The skill loads a .env file (if present) before initializing, reads config/*.yaml files, and writes snapshots to a snapshots/ directory. SKILL.md emphasises explicit user confirmation before executing trades, but the code provides an execute_trade mode that will place orders when invoked with parameters — therefore the agent or user must follow the confirmation guidance to avoid unintended live orders.
- Install Mechanism
- okNo install spec provided; the skill includes a requirements.txt (requests, python-dotenv, pyyaml) and asks the user to run pip install -r requirements.txt. These are common packages from PyPI; there are no downloads from untrusted URLs or archive extraction steps in the bundle.
- Credentials
- noteOnly mandated secrets are TRADING212_API_KEY and TRADING212_API_SECRET (primary credential declared). Optional env vars (TRADING212_DEMO, TRADING212_SNAPSHOT_DIR, TRADING212_RULES_PATH) are reasonable. One caveat: the code automatically loads a .env file (if present) into the process environment (via python-dotenv). If a project .env contains unrelated secrets, those values will be accessible to the running code; while the code does not appear to read or transmit unrelated secrets, loading .env increases the surface area and should be considered before installation.
- Persistence & Privilege
- noteThe skill writes daily snapshot JSON files to a snapshots/ directory (created if missing) and uses in-memory caching. It does not request always:true and does not modify other skills. Because it can place live orders when TRADING212_DEMO=false, granting it API credentials plus allowing autonomous invocation increases risk — the SKILL.md warns to require explicit confirmation and to keep demo=true by default.