Firm Fintech Pack
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: firm-fintech-pack Version: 1.0.0 The skill bundle appears benign. The `SKILL.md` file primarily provides documentation, configuration examples, and security recommendations for the user and the agent's operation. It explicitly promotes secure practices such as `sandbox.mode: "non-main"`, `READ_ONLY_MODE=true`, and `AUDIT_ENABLED=true`. There are no instructions for the agent to perform unauthorized actions, exfiltrate data, or execute arbitrary commands. The `npx clawhub@latest install` commands are presented as recommendations for the human operator, not as instructions for the AI agent to execute.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the recommended companion skills could add new capabilities beyond this instruction-only bundle.
The skill recommends user-run installation of multiple companion skills using the latest tag. This is disclosed and purpose-aligned, but those additional skills and versions are outside this artifact and should be reviewed before installation.
npx clawhub@latest install biz-reporter ... npx clawhub@latest install firm-orchestration
Review each companion skill’s permissions, source, and version before installing it, and prefer pinned versions where possible.
Sensitive financial details could be shared across spawned sessions or retained in session history if users provide real data.
The declared tools allow creating sessions, sending messages, and reading session history. That fits the firm-orchestration purpose, but fintech workflows may route sensitive transaction or customer context across agent sessions.
tools:\n - sessions_send\n - sessions_spawn\n - sessions_history
Use anonymized inputs where possible, confirm which sessions receive data, and keep regulatory reviews read-only as the skill suggests.
A user might assume secure/read-only modes are automatically active when they may need to be configured separately.
The skill’s safety posture depends on environment flags, but the supplied registry metadata declares no required environment variables. Users should treat these as manual configuration guidance rather than enforced controls.
Financial data is tier-1 sensitive: `SECURE_PRODUCTION_MODE=true` mandatory ... `READ_ONLY_MODE=true` for all regulatory review workflows
Manually verify secure production, audit logging, and read-only settings before processing real financial or regulatory data.