Skillv1.0.0

ClawScan security

Groww · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:40 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior is broadly coherent for a Groww trading integration, but there are metadata inconsistencies (required API key present in the skill metadata but missing from the registry summary) and missing/unclear operational details (references to an MCP server) that warrant caution before installing or providing credentials.
Guidance: This skill appears to do what it says (use a Groww API key to query market data and place orders), but before installing or supplying any API key: 1) Verify the skill publisher and ask why registry metadata omitted the required GROWW_API_KEY while the included _meta.json and SKILL.md require it. 2) Confirm whether the Groww API endpoints and the 'groww-mcp' mcporter service are legitimate and who operates them — mcporter calls point to an external server; understand where your requests (and keys) will be sent. 3) Limit privileges: if Groww supports scoped or sandbox keys, use those for testing; avoid giving a full-permission live trading key until you trust the skill. 4) Test with read-only operations (portfolio, quotes) before enabling order placement. 5) If you cannot verify the MCP server provenance or the registry metadata discrepancy, do not install or provide your GROWW_API_KEY. If you contact the publisher, ask for a clear explanation and for the origin of the groww-mcp server and mcporter tooling.

Review Dimensions

Purpose & Capability: noteThe skill's name, description, SKILL.md, and _meta.json consistently describe a Groww trading integration and the use of a GROWW_API_KEY — that credential is appropriate for the stated purpose. However, the registry summary you provided earlier reported no required env vars/primary credential, which conflicts with the included _meta.json and SKILL.md. This inconsistency is unexplained and should be clarified with the publisher.
Instruction Scope: noteSKILL.md limits actions to Groww portfolio, market-data, and order endpoints and shows example curl commands using GROWW_API_KEY. It does not instruct reading unrelated files or other credentials. Concern: it references a 'groww-mcp' server and mcporter calls with no install or provenance information for that server/tool; that gap makes runtime behavior ambiguous (where are these calls routed and who operates the MCP server?).
Install Mechanism: okInstruction-only skill with no install spec or code files — lowest-risk install mechanism. Nothing is downloaded or written to disk by the skill itself.
Credentials: noteThe only credential referenced (GROWW_API_KEY / primaryEnv in _meta.json and SKILL.md) is proportionate to a trading integration. However, the registry/summary metadata you provided earlier claimed no required env vars — this mismatch is suspicious and should be resolved. No other secrets or unrelated environment access are requested.
Persistence & Privilege: okalways is false and there is no install step that requests persistent system presence or modifies other skills/configs. The skill would run only when invoked (or autonomously if the agent chooses to call it, which is the platform default).