Skillv1.0.2

ClawScan security

Us Macro News Monitor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 24, 2026, 3:58 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions and requirements largely match its stated purpose (monitor US macro headlines and map spillovers to Vietnam), but there are minor inconsistencies around the declared tooling/credential expectations that you should confirm before installing.
Guidance: This skill appears coherent for its stated purpose, but verify two things before installing: (1) Confirm whether the platform will supply the 'Brave API' / web-fetch capability and whether any credentials or API keys will be required — the SKILL.md mentions Brave API but the registry metadata doesn't list any env vars. Ask where those keys would be stored and ensure least-privilege access. (2) Understand how the skill will handle paywalled sources: the skill says to respect paywalls and use fallback public sources, which is good — ensure it won't attempt to bypass paywalls or access account-only content. Also note this skill produces monitoring signals, not financial advice; if you plan to provide it with an ACTIVE_WATCHLIST, confirm the agent's outputs are only signals and that you (not the skill) retain control of any trading decisions. If you need higher assurance, request a version that explicitly documents the required platform capabilities/credentials and how web fetches are authenticated and logged.

Review Dimensions

Purpose & Capability: noteThe name/description (US macro → Vietnam spillovers) matches the SKILL.md workflow: collecting headlines, classifying themes, scoring confidence, and mapping to Vietnam sectors. The only mismatch is the SKILL.md's requirement for 'Brave API access' and 'OpenClaw web fetch' which are listed as tooling assumptions but are not declared as required credentials or environment variables in the registry metadata.
Instruction Scope: okAll runtime instructions stay within the monitoring/mapping scope: fetch headlines, classify, tag tone, map transmission channels, and run quality gates. The skill explicitly instructs respecting paywalls (use accessible metadata or fallbacks) and to avoid making buy/sell recommendations, which reduces risky scope creep. It does depend on web-fetching capabilities but does not instruct reading local files, system secrets, or exfiltrating data to external endpoints beyond the listed news sources.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files — lowest-risk delivery mechanism. Nothing is downloaded or written to disk by the skill itself.
Credentials: noteThe SKILL.md says it requires 'OpenClaw web fetch + Brave API access', but the skill declares no required environment variables or credentials. That is an inconsistency to clarify: Brave API usage often implies a service endpoint or key (platform-provided or user-provided). No other unrelated secrets are requested, and the skill doesn't ask for AWS/GitHub/etc. credentials.
Persistence & Privilege: okThe skill is user-invocable, not 'always: true', and doesn't request persistent system changes or modify other skills. The normal autonomous invocation flag remains false-worthy only if combined with other red flags (which are not present).