Skillv1.1.0

ClawScan security

TV Signal Screener · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 15, 2026, 4:12 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, install steps, and runtime instructions are consistent with a TradingView-based screener and do not request unnecessary credentials or unusual system access.
Guidance: This skill appears coherent and implements a YAML-driven TradingView screener that installs dependencies into a local venv and runs Python scripts. Before installing: (1) review and trust the source — there is no homepage and the registry/source metadata is minimal; (2) be aware that the skill depends on the third‑party tvscreener PyPI package (audit that package if you have concerns); (3) only use signal YAML files you trust — expressions are validated but are evaluated via pandas.eval, so untrusted expressions may be risky; (4) run the install and scripts in an isolated environment (container or VM) if you want to limit blast radius. Overall the files and instructions match the stated purpose and request no disproportionate access.

Review Dimensions

Purpose & Capability: okName/description (TradingView screener) align with the included Python scripts and YAML-driven signals. Required packages (tvscreener, pandas, pyyaml) are appropriate for the stated functionality. No environment variables, external credentials, or unrelated binaries are requested.
Instruction Scope: noteSKILL.md only instructs installing dependencies into a skill-local venv and running the provided scripts. The code operates on local YAML signal files and uses the tvscreener library to fetch market data. One area to be aware of: user-supplied expression signals are evaluated via pandas.eval after lightweight validation — this is expected for the feature but means you should only run expressions/signals from trusted sources.
Install Mechanism: okInstall uses a provided install.sh to create a local virtual environment and pip-install requirements from scripts/requirements.txt (PyPI packages). This is a standard, traceable install method for Python code; no downloads from arbitrary URLs or archive extraction are performed.
Credentials: okThe skill declares no required env vars, no primary credential, and no config paths. The runtime code does not attempt to read system credentials or unrelated config files. Dependency on a third-party tvscreener package is expected and proportional.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills or global agent settings. It creates a venv inside its directory for its own use, which is normal.