Skillv4.14.18

ClawScan security

quant-buddy-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 24, 2026, 8:17 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, files, and runtime instructions are consistent with a market-data / quant research tool that legitimately needs a platform API key and optional news API key; nothing requested appears unrelated to the stated purpose.
Guidance: This skill appears internally consistent: it is a market-data/quant research tool that legitimately needs a quant-buddy API key (kept in config.json) and an optional Bocha API key for news. Before installing, consider these actions: 1) Review the shipped Python scripts (especially scripts/call.py and scripts/quant_api.py) if you want to confirm the API key is only sent to the declared quantbuddy endpoints and not logged or forwarded elsewhere. 2) Keep the config.json (which will contain your api_key) in a secure location — the key is stored on-disk in the skill directory, so treat that file like a secret. 3) Only paste the sk- API key into the skill when you trust the skill and host; avoid sharing credentials in chat messages. 4) If you do not use the optional event-study news feature, you do not need to set BOCHA_API_KEY. If you want an even stronger assurance, run the skill in a restricted environment or inspect outbound network calls during a controlled test to verify endpoint usage.

Review Dimensions

Purpose & Capability: okName/description match the requested artifacts: the skill is a quantitative market-data tool and it requires a quant-buddy API key (stored in config.json) and an optional Bocha news API key for an optional feature. The large set of presets/workflows is coherent for a quant research skill.
Instruction Scope: okSKILL.md directs the agent to read the skill's config and workflow files, create a local session, and call local Python scripts or native platform tools to fetch data. Those actions are consistent with the stated tasks. The only runtime file the skill asks to read is config.json (declared); it does instruct reading many local presets/workflows (which are part of the skill) — expected for workflow routing and formula lookups.
Install Mechanism: okNo install spec is provided (instruction + shipped Python scripts). Runtime uses Python 3.8+ and lists optional Python packages (python-dateutil, Pillow). No external download URLs or installers are present in the metadata.
Credentials: noteThe skill requests one primary credential (quant-buddy API Key stored in config.json) and an optional BOCHA_API_KEY for an optional feature — proportional to its functionality. The SKILL.md asserts the API key will only be sent as an Authorization header to the declared quantbuddy endpoints and not logged or forwarded; this is plausible but cannot be independently verified without auditing the shipped scripts (notably scripts/call.py and scripts/quant_api.py).
Persistence & Privilege: okalways is false (not force-included). The skill stores its API key in config.json within the skill directory (declared). It does not request system-wide or unrelated credential access or try to modify other skills' configuration in the provided docs.