Skillv1.0.0

ClawScan security

Financial Report Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 24, 2026, 1:26 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions align with its stated purpose (fetching earnings data via yfinance and formatting reports); it does not request credentials or perform unexplained actions.
Guidance: This skill appears to do what it says: fetch public finance data via yfinance and produce reports. Before installing: (1) inspect the full script yourself (or run it in a disposable/virtualenv) to confirm there are no hidden network calls or file writes you don't expect; (2) install Python deps in a virtual environment and consider pinning versions (pip install package==version) to reduce supply-chain risk; (3) expect the tool to make outbound requests to Yahoo Finance (your IP and request patterns will be visible to those services) and to be subject to rate limiting; (4) note the SKILL.md mentions another API (Financial Modeling Prep) but the included code does not use an API key—if a future version required an API key, treat that credential carefully; (5) if you need higher assurance, run the script in an isolated environment or container and review network traffic.

Review Dimensions

Purpose & Capability: okThe name/description (tracking earnings, generating summaries) matches the included script and SKILL.md. The script uses yfinance to collect company info, calendars, and financials—exactly what the skill claims to do. The SKILL.md references Financial Modeling Prep as an alternate data source but the provided code relies on yfinance, which is a reasonable (if single-source) implementation choice.
Instruction Scope: okRuntime instructions are limited to installing Python deps and running the provided script with a ticker argument. The SKILL.md does not direct the agent to read unrelated files, environment variables, or to transmit data to third-party endpoints other than web requests performed by yfinance/requests. The code shown only queries finance data and formats reports.
Install Mechanism: noteNo install spec in registry; SKILL.md asks the user to pip install yfinance, requests, pandas. This is expected but means dependencies will be fetched from PyPI at install/runtime — a normal but non-zero supply-chain risk. There is no download-from-arbitrary-URL or archive extraction.
Credentials: okThe skill declares no required environment variables or credentials and the code does not request secrets. That is proportionate for a tool that reads public market data. (The SKILL.md mentions Financial Modeling Prep in references but the supplied script does not require an API key.)
Persistence & Privilege: okThe skill does not request always:true and is user-invocable only. It does not modify other skills or system-wide agent settings. Autonomous invocation is allowed (platform default) but not combined with other concerning privileges here.