Back to skill
Skillv2.0.0
ClawScan security
stock_data · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 19, 2026, 11:56 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are coherent with its stated purpose (scraping SimplyWall.st pages for stock data); no credentials or unexpected endpoints are requested, but the packaged dependency handling and a truncated file excerpt reduce confidence.
- Guidance
- The skill appears to do exactly what it says — scrape SimplyWall.st pages and parse embedded React state — and it doesn't request credentials. Before installing: 1) inspect the full skill.py (the provided excerpt was truncated) to confirm there are no hidden network calls or telemetry; 2) ensure aiohttp will be available in the runtime (or install it) since there's no install step; 3) consider running the skill in an isolated environment because it performs HTTP fetches; and 4) verify that scraping SimplyWall.st complies with your legal/terms-of-service constraints.
Review Dimensions
- Purpose & Capability
- okThe name/description (fetch stock data from SimplyWall.st) matches the code and SKILL.md: the code constructs SimplyWall.st URLs, fetches HTML, and extracts __REACT_QUERY_STATE__ to build the described fields. No unrelated services, credentials, or binaries are requested.
- Instruction Scope
- okSKILL.md and skill.py instruct only to fetch and parse SimplyWall.st HTML for stock data; they do not reference local secrets, other system files, or external destinations beyond simplywall.st. The runtime command is explicit (python3 skill.py {TICKER} {EXCHANGE}).
- Install Mechanism
- noteThere is no install spec; the code requires aiohttp (it raises ImportError if missing). A small venv/pyvenv.cfg is included in the package (no site-packages shown). This is not immediately malicious but means dependencies must be present or installed separately; bundling a venv can be surprising and should be inspected.
- Credentials
- okThe skill requests no environment variables or credentials and does not attempt to read config paths. Its network access is limited to SimplyWall.st URLs constructed from provided tickers/exchanges, which is appropriate for the stated purpose.
- Persistence & Privilege
- okFlags show default privileges (not always: true). The skill does not request persistent system privileges or modify other skills' configs from what is visible.