Skillv1.0.3

ClawScan security

Claw Screener · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 25, 2026, 5:40 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and declared requirements are consistent with a stock-screener that fetches public SEC and Yahoo Finance data, caches results to local SQLite files, and exposes CLI commands; nothing requests unrelated credentials or surprising system access.
Guidance: This skill appears to do what it says: fetch public Yahoo/SEC data, compute indicators, and cache results locally. Before installing or running it: (1) verify src/secApi.ts to confirm it only calls EDGAR or other documented public endpoints (no hidden upload/telemetry endpoints); (2) be aware it needs network access and will create SQLite cache files and a watchlist JSON (run it in a sandbox or dedicated folder if you want to contain files); (3) ensure you have bun >=1.3.1 available or run via a Node environment that supports the dependencies; (4) no credentials are required — do not provide secrets. If you want extra assurance, run the code in a disposable container and inspect outgoing network traffic on first run.

Review Dimensions

Purpose & Capability: okName/description (technical + Buffett-style fundamental screening for US/Thai markets) matches the code and SKILL.md. The code uses yahoo-finance2 and SEC data (via a local SECClient), maintains local caches, and provides the CLI entrypoints described. Declared runtime (bun >=1.3.1) and cache/watchlist files align with the stated purpose.
Instruction Scope: noteRuntime instructions run TypeScript files via bun. The scripts read/write local cache files (sec_cache.db, price_cache.db) and a watchlist (~/.claw-screener-watchlist.json) which is reasonable for a screener. As with any networked screener, the skill performs many network calls to Yahoo and EDGAR; the SKILL.md explicitly documents long initial run times. Recommend reviewing src/secApi.ts to confirm it only queries public EDGAR endpoints (no hidden/private endpoints).
Install Mechanism: okNo installer or remote download is declared (instruction-only for running the included code). The repo contains package.json/package-lock with standard npm dependencies (yahoo-finance2, sql.js). No unusual external binary downloads or obfuscated install steps were observed in the provided manifest.
Credentials: okThe skill does not request environment variables or credentials. It only needs network access to public data sources and file system access to store local SQLite caches and a watchlist file — proportionate to its purpose. There are no signs it requires unrelated tokens or secrets.
Persistence & Privilege: notealways:false and user-invocable — normal. The skill creates/updates local cache DBs (sec_cache.db, price_cache.db) and a watchlist JSON; this is expected for caching/alerts. If you prefer, run in a controlled directory or container to confine these files to a location you control.