Skillv1.0.0

ClawScan security

Warren Buffett Investing Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 9, 2026, 12:23 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and runtime instructions are internally consistent with its stated goal of emulating Warren Buffett's voice and investment framework, but it carries non-security risks (impersonation, unqualified financial advice) that users should be aware of before installing.
Guidance: This skill is coherent with its stated purpose (generating Buffett-like prose and an investment framework), but before installing consider: - Impersonation & clarity: The skill is explicitly designed to mimic Warren Buffett's voice. That can be persuasive and might mislead end users into thinking they are getting counsel from Buffett himself. If you provide it to others, add an explicit disclaimer that the output is an emulation, not advice from Warren Buffett. - Financial advice risk: The skill will produce investment guidance. If you or your users expect regulated financial advice, do not rely on this skill for actionable trading or fiduciary decisions. Consider adding guardrails (e.g., require the agent to append a risk/disclaimer, avoid actionable buy/sell calls, or route to a human adviser). - Consistency of instructions: There are minor internal inconsistencies between style rules and example content; test the skill with representative prompts to confirm it behaves as you expect (tone, scope, and whether it avoids giving specific buy/sell commands). - Auditability: Because it's instruction-only and contains no third‑party installs or credential requests, it has low technical risk. Nonetheless, review logs or outputs in real usage to ensure the skill does not attempt to access external endpoints or collect user secrets unexpectedly. If these non-technical risks are acceptable and you add appropriate disclaimers and usage limits, the skill appears coherent and proportionate to its stated purpose.

Review Dimensions

Purpose & Capability: okName/description (a Buffett-like cognitive operating system) align with the provided SKILL.md and the included reference documents; no unrelated binaries, credentials, or install steps are requested. The content is a text-based style-and-decision framework and the requirements are proportionate to that purpose.
Instruction Scope: noteSKILL.md instructs the agent to adopt Buffett's voice, sentence patterns, and decision checklist and includes example Q&A and case studies. This is expected for a voice/style skill, but presents two concerns: (1) impersonation risk — the agent may present itself as Buffett (a public figure) in ways that could mislead users; (2) financial-advice risk — the skill is designed to provide investment guidance and some examples are prescriptive. Minor internal inconsistency: style rules include 'Never uses "You should buy..."' but examples contain prescriptive recommendations (e.g., allocating 90% to S&P 500), which could cause ambiguous behavior at runtime.
Install Mechanism: okNo install spec and no code files that execute on host; the skill is instruction-only. This minimizes filesystem and code-execution risk.
Credentials: okThe skill requests no environment variables, credentials, or config paths. There is no disproportionate access requested relative to the stated purpose.
Persistence & Privilege: okFlags show default invocation behavior (always: false, agent-invocation allowed). The skill does not request permanent presence or elevated platform privileges and does not modify other skills or system settings.