Skillv1.0.7

ClawScan security

Equity Analyst · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:12 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions largely match its stated purpose (scraping Naver Finance and scoring stocks), but there are multiple implementation oddities and local-path / shell execution behaviors that don't align cleanly with the SKILL.md and raise privacy/operational concerns.
Guidance: What to consider before installing/running this skill: - Functionality vs environment: The skill's purpose (Naver-based equity scoring) matches the code, but several scripts expect a Windows developer environment (hardcoded Python path C:/Users/IM/...) and an OpenClaw browser profile. If your agent runs on a different OS or lacks that Python path, the scripts will fail or attempt fallback behavior. - Local file access: Some scripts read or write absolute user-specific paths (e.g., C:/Users/IM/.openclaw/workspace/test_morning_report.json, morning_report_output.txt). If those files exist, the skill may process them; if not, it may error. Consider inspecting and removing or editing these paths before use. - Shell execution & browser snapshots: The skill uses subprocess.run (often with shell=True) to call external commands (openclaw browser, snapshot). That allows the skill to execute arbitrary shell commands if modified; review the scripts before granting runtime permissions. Also, browser snapshots parse raw page contents — snapshots could include sensitive info depending on your browser state. - Outbound actions not declared: Scripts mention sending reports to LINE but no LINE token is requested in metadata. If you supply messaging tokens later (or modify scripts), the skill could send data externally. Confirm any external webhook/API configuration and audit where credentials would be stored. - Suggested mitigations: (1) Run the skill in a sandboxed environment first; (2) Inspect and, if needed, edit scripts to remove hardcoded absolute paths and replace the hardcoded python executable with a generic 'python' on PATH; (3) Remove or implement safe handling for any report-sending code (LINE) and ensure any tokens are provided explicitly and stored securely; (4) If you don't want the skill to read local files, search the code for references to user-specific paths and remove them. Overall: the skill appears to implement its stated analysis framework (not obviously malicious), but environment-specific hardcoded paths, local-file access, and shell command usage are inconsistent with the clean SKILL.md metadata and raise privacy/operational concerns — review and sanitize before running in production.

Review Dimensions

Purpose & Capability: noteThe name/description (Korean equity analysis using Naver Finance) matches the included scraper and analyzer scripts. However, the package contains Windows-specific hardcoded items (skill.yaml 'bins' pointing to C:/Users/IM/.../Python310/python.exe and multiple scripts calling that exact python executable), plus references to sending reports to LINE and to an 'openclaw' browser profile. Those items are plausible for a desktop cron/report workflow but are environment-specific and not declared in SKILL.md metadata (e.g., no required binaries or credentials listed).
Instruction Scope: concernSKILL.md instructs the agent to use a browser to visit Naver Finance and extract specified fields — consistent with the scripts. But the scripts also: (1) use subprocess.run(shell=True) to call 'openclaw browser' and other commands; (2) create/read local files using absolute user-specific paths (e.g., C:/Users/IM/.openclaw/workspace/test_morning_report.json, morning_report_output.txt); (3) take browser snapshots and parse raw page output; and (4) mention sending reports to LINE. SKILL.md does not warn that the skill will read those local paths or require access to an OpenClaw browser profile. These behaviors expand runtime scope (local filesystem access, shell command execution, full-page scraping) beyond the minimal description.
Install Mechanism: okThere is no install spec (instruction-only), which is low risk in terms of remote code download. However, the repository includes executable scripts that will run when invoked. No remote downloads or extraction steps are present in the manifest.
Credentials: concernThe skill declares no required env vars or credentials, and that's consistent with most code. But scripts reference external services and actions that typically require credentials or environment setup (sending to LINE, using an 'openclaw' browser profile). The explicit hardcoded Python path in skill.yaml and scripts is disproportionate and brittle — it implies expectation of a specific user environment. The skill may also read user workspace files if they exist (hardcoded test paths), which is a privacy risk not reflected in the declared requirements.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills, and does not declare persistent background behavior. It will, if invoked, run scripts that open browser pages, perform web requests, and read/write files in the working directory; these are normal for a scraper but are not privileged by the registry metadata.