Skillv1.0.2

ClawScan security

Options Trading Brain · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 30, 2026, 1:54 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements, embedded scripts, and behavior are consistent with an options-trading signal generator; it asks for no credentials and has no installer, but it will perform network calls (yfinance/Yahoo) and expects Python libs to be present.
Guidance: This skill appears coherent for generating options signals and does not request credentials or install software. Before installing: (1) Understand it will fetch data from Yahoo via yfinance (network calls) and requires Python + libraries — install those in an isolated environment if you are cautious. (2) The SKILL.md promises 'Unusual Whales' monitoring but the provided scripts use yfinance; if you expect Unusual Whales data, verify how that integration would work and whether an API key is required. (3) Treat any trading signals as heuristics, not guaranteed advice — backtest or paper-trade before risking capital. (4) Because there is no installer, review the full SKILL.md content yourself and ensure your agent runtime will not execute unreviewed code with broader system access.

Review Dimensions

Purpose & Capability: noteName and description match the included scripts: whale scanning, Elliott wave counting, Bollinger analysis, multi-timeframe trend and liquidity heuristics. The SKILL.md references Unusual Whales as 'optional', but the provided scripts rely on yfinance (Yahoo) rather than an Unusual Whales API — this is plausible but worth noting as a mismatch between marketing text and implementation.
Instruction Scope: okRuntime instructions are script-driven and limited to fetching market data (yfinance/yahoo), computing indicators, and printing signals. The instructions do not request reading unrelated system files or environment variables, nor do they instruct sending data to third parties beyond the market-data sources. They will perform network I/O to fetch market data, which is expected for this purpose.
Install Mechanism: noteThis is an instruction-only skill with no install spec — lower risk because nothing is written by an installer. However the SKILL.md declares Python 3.10+ and libraries (yfinance, numpy, scipy) but does not provide an explicit install step; users must ensure those dependencies exist in their environment.
Credentials: okThe skill requests no environment variables, credentials, or config paths. That is proportionate to its stated purpose. It mentions an optional Unusual Whales subscription but does not require or hard-code API keys.
Persistence & Privilege: okThe skill does not request 'always' persistence, does not modify other skills, and does not declare elevated privileges. Autonomous invocation is allowed by platform default, but nothing in the skill grants it additional system presence.