Firm Fintech Pack
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only fintech bundle is coherent and purpose-aligned, but users should review companion skills and manually enforce its security settings before using it with real financial data.
This skill appears benign as provided, but use it carefully with real fintech data: review any recommended companion skills before installing them, anonymize customer and transaction data when possible, and manually confirm read-only, audit, and secure-production settings are active.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the recommended companion skills could add new capabilities beyond this instruction-only bundle.
The skill recommends user-run installation of multiple companion skills using the latest tag. This is disclosed and purpose-aligned, but those additional skills and versions are outside this artifact and should be reviewed before installation.
npx clawhub@latest install biz-reporter ... npx clawhub@latest install firm-orchestration
Review each companion skill’s permissions, source, and version before installing it, and prefer pinned versions where possible.
Sensitive financial details could be shared across spawned sessions or retained in session history if users provide real data.
The declared tools allow creating sessions, sending messages, and reading session history. That fits the firm-orchestration purpose, but fintech workflows may route sensitive transaction or customer context across agent sessions.
tools:\n - sessions_send\n - sessions_spawn\n - sessions_history
Use anonymized inputs where possible, confirm which sessions receive data, and keep regulatory reviews read-only as the skill suggests.
A user might assume secure/read-only modes are automatically active when they may need to be configured separately.
The skill’s safety posture depends on environment flags, but the supplied registry metadata declares no required environment variables. Users should treat these as manual configuration guidance rather than enforced controls.
Financial data is tier-1 sensitive: `SECURE_PRODUCTION_MODE=true` mandatory ... `READ_ONLY_MODE=true` for all regulatory review workflows
Manually verify secure production, audit logging, and read-only settings before processing real financial or regulatory data.