Back to skill
Skillv1.0.0
ClawScan security
SEC Watcher · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 20, 2026, 7:15 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements match its stated purpose (monitoring EDGAR for filings); it only needs a local Python interpreter and queries the public SEC API — nothing appears disproportionate or covert.
- Guidance
- This skill appears internally consistent: it runs a local Python script that queries the public SEC EFTS API and formats results. Before installing, consider: (1) network calls reveal which companies you query (the SEC will see requests from the host IP); (2) the SKILL.md references a commercial product (signal-report.com) but the code does not call that site — verify you trust the skill source since the registry owner is an opaque ID; (3) if you plan to run in a sensitive environment, review the included scripts yourself (they are short and readable) and run the provided tests (scripts/test_skill.py) in a sandbox; (4) the script sets a custom User-Agent string — harmless but be aware it identifies this tool. If you want extra assurance, run the fetcher against a non-production network or inspect network traffic to confirm it only contacts efts.sec.gov.
Review Dimensions
- Purpose & Capability
- okName/description (SEC EDGAR filing monitor) align with the shipped files and declared requirements. The included Python fetcher implements queries against the SEC full-text search endpoint and a curated watchlist; requiring python3 is appropriate.
- Instruction Scope
- okSKILL.md instructs running scripts/fetch-filings.py with explicit flags and describes expected output; it does not ask the agent to read unrelated files, environment variables, or send data to unexpected endpoints. The 'Pro' promotional text references a website but is not invoked by the code.
- Install Mechanism
- okNo install spec (instruction-only) and code is included as plain Python files. There is no download-from-arbitrary-URL, no package installation, and nothing will be auto-downloaded during install.
- Credentials
- okThe skill declares no required environment variables or credentials and the code does not read secrets or config paths. Network access is used only to call the public SEC EFTS endpoint.
- Persistence & Privilege
- okSkill is not configured always:true and does not modify system-wide agent settings or other skills. It runs as an on-demand/local script and has normal, limited presence.