v1.0.0

Earnings Tracker

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:08 AM.

Analysis

This earnings-tracking skill mostly matches its purpose, but needs review because it can reuse an undeclared OpenAI API key with a different translation service.

GuidanceReview before installing. Use dedicated Tavily and ZAI/GLM keys, avoid running this in an environment that contains an OPENAI_API_KEY unless the fallback is removed, verify package dependencies before installing, and configure cron reminders only if you want recurring automated checks.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Rogue Agents

SeverityLowConfidenceHighStatusNote

SKILL.md

"schedule": { "kind": "cron", "expr": "0 9 * * 1-5" }, ... "message": "运行 earnings-tracker check 命令，检查追踪公司的财报动态..."

SKILL.md provides a cron example that would cause recurring weekday agent turns to run the tracker.

User impactIf configured, the skill can make recurring API calls and produce reminders without a fresh manual prompt each time.

RecommendationEnable the cron job only if you want scheduled checks, and monitor API usage limits and reminder frequency.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

package.json

"dependencies": { "playwright": "^1.40.0" }

The package declares a mutable Playwright dependency even though the skill is described as instruction-only and SKILL.md says Playwright was removed.

User impactInstalling dependencies could pull in extra code that is not needed for the documented workflow.

RecommendationDo not run npm install unless necessary; if packaging this skill, remove unused dependencies and pin any required packages.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

fetch-earnings.js

const apiKey = (process.env.ZAI_API_KEY ?? process.env.OPENAI_API_KEY ?? '').trim(); ... fetch('https://open.bigmodel.cn/api/paas/v4/chat/completions', ... 'Authorization': `Bearer ${apiKey}`)

The script may take an OPENAI_API_KEY from the environment and send it as a Bearer token to BigModel/GLM. SKILL.md documents ZAI_API_KEY for GLM translation, but not this OpenAI-key fallback.

User impactIf your agent environment contains an OpenAI API key and no ZAI key, the skill could disclose that OpenAI key to a different provider during translation requests.

RecommendationRemove the OPENAI_API_KEY fallback, require an explicit ZAI_API_KEY for BigModel, and declare all required or optional credentials in metadata before installation.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

fetch-earnings.js

const TRACK_FILE = path.join(__dirname, '.tracked-companies.json'); ... fs.writeFileSync(TRACK_FILE, JSON.stringify(companies, null, 2));

The script stores the user's tracked company list in a persistent local file and reuses it for later list/check workflows.

User impactTracked symbols may reveal portfolio interests or watchlists and can be reused in future checks.

RecommendationOnly track symbols you are comfortable storing locally and querying through the configured search provider; clear .tracked-companies.json if you no longer want the list retained.