ℹ
Purpose & Capability
Name, description, SKILL.md and the Node.js code align: the skill provides stock/crypto/real-estate analysis, portfolio optimization and risk assessment. However the SKILL.md and README advertise 'real-time data API integration' yet the package declares no required env vars/credentials and the code uses only simulated/mock data. This mismatch (advertised external API integration vs no declared credentials) is plausible for an early/demo release but is a point worth noting.
ℹ
Instruction Scope
Runtime instructions are limited to running the included CLI commands (analyze, portfolio optimize, risk assess, forecast). The SKILL.md does not instruct reading unrelated system files or exfiltrating data. However repository files (publish-manual.txt) contain instructions and a ClawHub login token which would allow external publishing of the repository — that is unrelated to the skill's runtime purpose and introduces an external-facing risk.
✓
Install Mechanism
There is no install spec (instruction-only install method), and no remote downloads or extract steps. This lowers installation risk. The included Node.js files run locally and only read/write a local analysis_log.json file.
!
Credentials
The skill declares no required environment variables or primary credential, which is consistent with its current simulated-data implementation — but examples/config.json and the prose discuss API keys for data providers. More importantly, publish-manual.txt embeds a ClawHub token (token:clh_stbFXRYc9RTR1Ck7e940tJ1e4AN0EU8X5S_MhoC8MFM). An embedded publish/login token in the repository is disproportionate and potentially sensitive: it could be misused to post or modify content on the referenced platform.
✓
Persistence & Privilege
The skill does not request always: true and does not modify other skills or system-wide settings. The runtime writes a local analysis_log.json (normal for a CLI tool). There is no evidence the skill attempts to persistently elevate privileges or auto-enable itself.
Scan Findings in Context
[embedded_token_in_publish_manual] unexpected: publish-manual.txt contains a ClawHub login token string (token:clh_stbFXRYc9RTR1Ck7e940tJ1e4AN0EU8X5S_MhoC8MFM). A publishing/login token is unrelated to runtime analysis and should not be included in distributed skill files; this is a sensitive secret leak.
[child_process_execSync_import] expected: analyzer.js imports child_process.execSync. A CLI tool may legitimately use child_process, but in the provided code execSync is imported and not used — this looks like leftover or sloppy code rather than active remote execution. Still, child_process usage in general is something to review for potential shell invocation.
What to consider before installing
What to consider before installing:
- Treat this as a demo/local tool, not a production trading system. The code uses simulated/mock prices and does not implement real-time API integration out-of-the-box.
- Do NOT reuse or trust the ClawHub login token found in publish-manual.txt — it appears to be an embedded secret. If you manage or mirrored this repo, rotate any exposed tokens/credentials and remove them from the repository history.
- If you intend to connect real data providers (Yahoo/AlphaVantage/Binance/Coinbase/Zillow), add API keys in a secure config mechanism (not in repo files) and verify the skill explicitly declares required env vars before providing secrets.
- Review analyzer.js for any shell execution or network calls before running on a machine with sensitive data. The script writes analysis_log.json to the working directory — consider where that file will live and who can read it.
- Verify the maintainer and source: the homepage points to a GitHub repo under AIFinanceAssistant; confirm ownership and review upstream commits. If you plan to use this for real investing, audit the algorithms, test thoroughly, and consider legal/regulatory implications.
If you want, I can: (1) point to the exact lines where the token appears, (2) suggest a safe recipe to remove secrets and sanitize history, or (3) produce a short checklist to harden this skill before use.
