v1.0.0

Etf Assistant 1.0.1

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:40 AM.

Analysis

The skill is a coherent ETF lookup and calculator that does not access accounts or change data, though it makes Yahoo Finance requests and has minor packaging metadata gaps.

GuidanceBefore installing, know that quote and comparison requests go to Yahoo Finance, the local tools curl/python3/bc may be needed despite not being declared, and the investment outputs should be treated as informational rather than financial advice.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

etf-assistant.sh

local response=$(curl -s "https://query1.finance.yahoo.com/v8/finance/chart/${code}.SS" 2>/dev/null | head -100)

The quote and comparison features send the user-provided ETF code to a fixed Yahoo Finance endpoint. This is disclosed and purpose-aligned, but it is external network tool use.

User impactETF codes queried through the price or compare commands may be sent to Yahoo Finance; the artifacts do not show credentials, local files, or account data being sent.

RecommendationUse it for public market-data lookups and avoid entering unrelated sensitive personal information as a ticker or search value.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

metadata

Version: 1.0.0; Required binaries (all must exist): none; No install spec

The included shell script invokes curl, python3, and bc, so the runtime dependency contract is underdeclared. The packaged _meta.json also lists version 1.0.1 while the registry metadata lists 1.0.0, creating a minor provenance/packaging clarity issue.

User impactThe skill may fail or behave differently if expected local tools are missing, and users may need to reconcile the package metadata before relying on provenance.

RecommendationDeclare required binaries and align registry/package metadata; users should review the shell file and ensure curl, python3, and bc are available before use.