Back to plugin
Pluginv1.0.0
ClawScan security
Us Stock Analyst · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 23, 2026, 11:31 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, runtime instructions, and required AISA_API_KEY align with its stated purpose (calling the AIsa market-data APIs via bundled Python scripts); nothing requests unrelated credentials or hidden endpoints.
- Guidance
- This package appears to do what it says: run the included Python scripts which call AIsa APIs using AISA_API_KEY. Before installing or running: (1) only provide a trusted AISA_API_KEY and confirm you trust api.aisa.one as the data recipient, (2) run the Python code inside a dedicated virtual environment (venv) to isolate dependencies, (3) review requirements.txt and install only the minimal dependencies (httpx), (4) verify any network egress policy you need (the scripts make outbound HTTPS calls to api.aisa.one), and (5) if you need higher assurance, inspect the full stock_analyst.py for any additional I/O or logging you want to control. There are no signs of hidden endpoints or requests for unrelated credentials.
Review Dimensions
- Purpose & Capability
- okThe package advertises an AIsa-backed stock/crypto analysis skill and the code and manifests consistently require AISA_API_KEY and python3 to call https://api.aisa.one endpoints. Requested resources (API key, python3, httpx) are proportional to the stated functionality.
- Instruction Scope
- okSKILL.md restricts runtime actions to running the included Python scripts and setting AISA_API_KEY. The scripts only read the declared environment variable and make network calls to api.aisa.one; they do not reference unrelated system files, credentials, or external endpoints outside the AIsa API domain.
- Install Mechanism
- noteThere is no install spec (instruction-only), but the package includes Python scripts and a requirements.txt listing httpx (and an unnecessary asyncio entry). Users will need to install dependencies (e.g., pip install httpx) in a Python environment; this is normal but means third-party PyPI code could be pulled if an installer is run.
- Credentials
- okOnly AISA_API_KEY is required and is declared as primaryEnv in manifests and SKILL.md. No other tokens, secrets, or unrelated environment variables or config paths are requested.
- Persistence & Privilege
- okThe skill is not force-enabled (always: false) and is user-invocable. It does not request elevated system privileges or modify other skills' config. Autonomous invocation remains allowed by default but is expected for skills.