Skillv1.0.1

ClawScan security

EODHD CLI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 2, 2026, 2:11 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's docs and runtime instructions describe an EODHD Bash CLI that expects an injected EODHD_API_KEY and a scripts/eodhd entrypoint, but the published package metadata and actual file set are inconsistent (missing the entrypoint and not declaring the required env), so the bundle is incoherent until those mismatches are resolved.
Guidance: Do not install or publish this skill as-is. Key issues to resolve before trusting it: 1) scripts/eodhd (the claimed CLI entrypoint) is referenced throughout the docs and manifest but is missing from the provided file set — request or inspect that file and review its code for networking, endpoints, and any data exfiltration. 2) Fix metadata mismatches: ensure the registry/packaging metadata declares EODHD_API_KEY as a required credential and lists bash/curl as runtime dependencies so deployers know the true runtime contract. 3) Run ./scripts/check-package.sh and ./scripts/test-smoke.sh locally after adding scripts/eodhd; the check script will fail while the entrypoint is missing. 4) Verify the implementation follows the documented redaction rules (dry-run masks, no raw token in logs) and that no hidden endpoints or unexpected environment reads are present. If the owner provides the missing entrypoint and aligns the manifest with the docs, re-evaluate — the current issues look like sloppy packaging rather than intentional malice, but they must be fixed before installation.

Review Dimensions

Purpose & Capability: concernThe SKILL.md, README, agents/openai.yaml, and reference docs consistently describe a Bash+curl CLI that requires EODHD_API_KEY and provides scripts/eodhd as the entrypoint. However the registry-level 'Requirements' summary at the top of the package metadata lists no required env vars and no required binaries, and the actual package file list in this submission does not include the referenced scripts/eodhd file. Requiring an API key and bash/curl is appropriate for the stated purpose, but the mismatch between declared requirements and the provided files is a coherence problem.
Instruction Scope: okThe SKILL.md instructions are narrowly scoped to building a stateless Bash CLI: they describe auth handling, redaction, exit codes, command surface, and tests. They do not instruct the agent to read unrelated system files or exfiltrate data. The instructions explicitly forbid printing secrets and storing persistent state.
Install Mechanism: okThis is an instruction-only skill with no install spec, which is low-risk. The included scripts are simple shell smoke/test/check scripts. There is no download/install mechanism that would fetch arbitrary remote code.
Credentials: concernThe skill's docs and agents/openai.yaml declare EODHD_API_KEY as the primary required credential (and recommend OpenClaw injection). However the top-level registry 'Requirements' reported with the skill says no required env and no primary credential. This discrepancy is significant: the runtime contract (requires EODHD_API_KEY) is appropriate, but the published metadata failing to list it is incoherent and could lead to misconfiguration or surprising behavior if installed as-is.
Persistence & Privilege: okThe skill does not request persistent presence (always: false) and the SKILL.md explicitly requires stateless behavior (no config, caches, or token stores). There is no evidence the skill attempts to modify other skills or system-wide settings.