Skillv1.0.1

ClawScan security

Economic Calendar · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 1, 2026, 5:54 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is internally consistent with a straightforward Investing.com scraper: it only needs standard HTTP/HTML parsing, asks for no credentials, and does not appear to reach out to unexpected endpoints — but the provided Python file was partially truncated and there are small packaging inconsistencies to verify before use.
Guidance: This skill appears to do exactly what it says: scrape Investing.com and output filtered events. Before installing or running it: (1) review the full scripts/economic_calendar.py file (the copy provided here was truncated) to confirm there are no hidden network calls or unexpected behavior; (2) be aware scraping can violate a site's terms of service and may be blocked — the script mimics a browser and uses delays, which is expected for scraping; (3) fix the packaging mismatch (requirements.txt omits lxml even though BeautifulSoup('lxml') is used) to ensure proper dependency installation; (4) run in a restricted environment or sandbox if you want to be extra cautious, since the script makes outbound HTTP requests and writes files to disk. If you want higher assurance, provide the full, untruncated script for a line-by-line review.

Purpose & Capability: okName/description (economic calendar from Investing.com) match the included script and SKILL.md: the code builds POST requests to Investing.com, parses returned HTML, and formats output. No unrelated binaries or credentials are requested.
Instruction Scope: okSKILL.md tells the agent to run the included Python scraper with date/country/timezone filters and optional JSON output. The script operates via HTTP against investing.com, maintains a session/cookies, and writes JSON to stdout or to a local file — all within the declared purpose. There is no instruction to read unrelated local files or environment variables.
Install Mechanism: noteThis is instruction-only (no installer). Dependencies are normal Python packages for scraping. Minor inconsistency: SKILL.md and script use/require 'lxml' parser, but requirements.txt lists requests, beautifulsoup4, and pytz (lxml is missing). That is an installation/packaging oversight but not a malicious signal.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths. The script uses only command-line args and makes network requests to investing.com; no secrets are accessed or required.
Persistence & Privilege: okalways:false and disable-model-invocation left default (agent may call it when allowed). The skill does not request persistent system presence or modify other skills. It writes its own output files (calendar_YYYYMMDD.json) which is expected.