v1.0.0

Investing

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:39 AM.

Analysis

The skill is mostly coherent for investing research, but it includes instructions and recurring prompts to execute real brokerage or crypto trades without explicit confirmation safeguards.

GuidanceUse this skill for research and calculations, not autonomous trading. Do not let an agent operate logged-in brokerage or crypto accounts from these instructions unless you give a specific trade request and confirm the final order details. If you use the scripts, expect read-only network calls to Yahoo Finance and CoinGecko and make sure curl, jq, and bc are installed.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Run: monthly-dca.sh [budget]
Execute trades via:
- Interactive Brokers (ETFs)
- Bitstamp/Kraken (Crypto)

This directs the agent workflow toward real brokerage and crypto-exchange trades, but the artifact does not add explicit user-confirmation, order-size, account, or reversal safeguards.

User impactIf the agent has access to a logged-in broker or crypto account, these instructions could lead to unintended financial transactions.

RecommendationTreat the skill as informational unless the user explicitly asks for a specific trade. Add a mandatory confirmation step with exact asset, venue, amount, fees, and final approval before any financial transaction.

Rogue Agents

SeverityLowConfidenceMediumStatusNote

SKILL.md

"name": "Monthly DCA Reminder", "schedule": { "kind": "cron", "expr": "0 10 1 * *" }, "payload": { "kind": "agentTurn", "message": "Monthly DCA time! Check budget, run monthly-dca.sh, execute trades." }

The skill documents a recurring scheduled agent turn. It is presented as a cron example rather than an automatic install action, but it would create persistent monthly agent activity if configured.

User impactA configured reminder could repeatedly prompt investment actions, including trade execution language, even when the user did not start that session manually.

RecommendationOnly enable scheduled jobs intentionally, keep them as reminders or analysis tasks, and require fresh user approval before any trade or account change.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

check-etf-prices.sh

curl -s "https://query1.finance.yahoo.com/v8/finance/chart/VWCE.DE" ... | jq -r ...
...
if (( $(echo "$BTC < 50000" | bc -l) )); then

The helper script relies on external market-data services and local binaries such as curl, jq, and bc, while the registry requirements declare no required binaries.

User impactUsers may see runtime failures or unexpected network access unless they understand the helper script requirements.

RecommendationDeclare required binaries and external data sources in the skill metadata, and keep these scripts limited to read-only market-data lookups.