Back to skill
Skillv1.0.0
ClawScan security
liyan de skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 8:51 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, required capabilities, and requested resources align with its stated purpose (real-time and historical gold-price analysis) and it does not request extra credentials or install code.
- Guidance
- This skill appears coherent and low-risk: it only uses web search to collect public market and ETF data and contains no code or credential requests. Before installing, confirm that (1) you are comfortable with the agent making external web searches for user queries (search providers may log requests), (2) you understand outputs are informational and not authoritative investment advice, and (3) you verify any critical prices/ETF data against trusted, real‑time sources (exchange/fund websites) before acting. If you need stronger privacy, restrict or review the web_search tool or test the skill with non-sensitive example queries first.
Review Dimensions
- Purpose & Capability
- okThe name/description promise (real-time domestic & international gold prices, 3‑month history, trend analysis, ETF recommendations) matches the SKILL.md steps which explicitly use web searches to collect prices, ETF data and news. There are no unrelated requirements (no extra env vars, binaries, or install steps).
- Instruction Scope
- noteThe SKILL.md requires use of the web_search tool to fetch live prices, historical points and ETF stats and prescribes a strict six‑module report template. This is within the stated scope, but the instructions mandate always using web_search and producing an ASCII chart from fetched data—if web_search is unavailable or returns limited data the skill instructs the agent to report that fact. The agent will send queries to external search providers (expected for live data) — consider whether that aligns with your privacy expectations.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files. No software is downloaded or written to disk, which minimizes install-time risk.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. All declared tooling needs are limited to web_search, which is proportionate to the goal of retrieving live market data.
- Persistence & Privilege
- okNo 'always: true' setting and default autonomous invocation is allowed (platform default). The skill does not request persistent system changes or cross-skill configuration access.