Investing
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly transparent, but it includes instructions and scheduled prompts to execute investment trades without explicit human confirmation safeguards.
Use this skill as an informational investing checklist only. Do not let it place trades automatically; require manual review and explicit approval for every broker or crypto-exchange action, and review the shell scripts before running them.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent with browser or account access follows this literally, it could attempt to place real investment or crypto trades.
The skill moves beyond research and calculations into directing trade execution on financial platforms. The artifact does not state that trades must be confirmed by the user before any action.
Run: monthly-dca.sh [budget] Execute trades via: - Interactive Brokers (ETFs) - Bitstamp/Kraken (Crypto)
Limit the skill to analysis, reminders, and draft trade plans unless the user gives explicit, per-transaction confirmation. Add clear wording that the agent must never place trades automatically.
If the user enables these cron jobs, the agent may periodically wake up and act on investment reminders without the user initiating each session.
The skill documents recurring scheduled agent turns. This is disclosed and aligns with market monitoring, but the monthly scheduled prompt includes trade-execution language.
"schedule": { "kind": "cron", "expr": "0 10 1 * *" },
"message": "Monthly DCA time! Check budget, run monthly-dca.sh, execute trades."Use scheduled jobs only for alerts or reminders, and require an explicit user approval step before any financial account action.
Running the script will contact Yahoo Finance and CoinGecko and requires local tools such as curl, jq, and bc.
The included script runs local shell commands and calls external market-data APIs. This is expected for a price-checking investing skill and does not show hidden execution or exfiltration.
VWCE=$(curl -s "https://query1.finance.yahoo.com/v8/finance/chart/VWCE.DE" 2>/dev/null | jq -r '.chart.result[0].meta.regularMarketPrice // "N/A"')
Review scripts before running them and ensure required local tools are installed from trusted sources.
Users have less external context for the skill's author, maintenance history, or review process.
The registry information does not provide a public source or homepage. The included code is small and visible, so this is a provenance note rather than evidence of malicious behavior.
Source: unknown Homepage: none
Install only if you trust the publisher and have reviewed the visible SKILL.md and shell scripts.