Skillv0.1.0

ClawScan security

Langchain V1 Toolkit · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 25, 2026, 9:39 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's documentation and runtime YAML broadly match a LangChain/finance knowledge pack, but the runtime instructions expect filesystem and environment access (and ask the host to run Python commands and installs) that are not declared in the skill metadata — this mismatch warrants caution.
Guidance: This skill is a documentation/knowledge pack for LangChain v1 and a finance blueprint; it requires the host to run Python checks and (if missing) pip installs and will read/create files (ZVT_HOME, host_workspace paths). Before installing or invoking: (1) review references/seed.yaml yourself to confirm it doesn't reference unexpected external endpoints or secrets; (2) run it in an isolated environment or container if you are worried about package installs or filesystem writes; (3) be aware the skill will expect access to your Python runtime, ability to run python3 -c commands, and write permissions under your home/workspace; (4) if you want to limit scope, reject or sandbox any automated pip installs and review precondition commands before allowing them to run.

Review Dimensions

Purpose & Capability: noteName/description and included seed.yaml indicate an AI-engineering / LangChain v1 knowledge toolkit for building agents and finance workflows; that purpose aligns with the large seed.yaml, intent_router, and preconditions. However, the skill metadata declares no required env vars or binaries while the runtime content expects Python runtime/tools and provider packages (langchain, zvt, partner packages), so the declared requirements understate the actual runtime needs.
Instruction Scope: concernSKILL.md and seed.yaml instruct the host AI to re-read references/seed.yaml at runtime and to execute precondition check_commands such as python3 -c 'import zvt...' and filesystem checks (ZVT_HOME, write tests). The instructions therefore direct the host to run arbitrary Python commands, check and create files in the host workspace/home, and suggest pip installs. Those actions are within this skill's stated purpose (backtesting / LangChain patterns) but they expand the agent's scope to the host filesystem and environment — something the metadata did not declare explicitly.
Install Mechanism: noteThere is no install spec (instruction-only), which avoids an automated download/execute risk. But the runtime docs and preconditions explicitly instruct to pip install langchain and provider packages if missing. That makes the effective installation manual/host-driven rather than automatic; it's expected but worth noting because the skill instructs host-side package installs.
Credentials: concernDeclared required env vars: none. Yet seed.yaml and preconditions reference environment variables and filesystem state (ZVT_HOME, host_workspace, paths under {host_workspace}, checks that touch ~/.zvt). This is a discrepancy: the skill will read and act on environment variables and file paths even though none are declared. No explicit credential or network exfiltration env vars appear, but the mismatch is a proportionality and transparency concern.
Persistence & Privilege: notealways:false and no code files means it won't be force-included or install binaries by itself. The execution protocol expects writing to host workspace paths (scripts/, skills/, .trace/) and running write-permission checks in ~/.zvt; these are reasonable for a backtesting tool but do grant the skill the ability to create files on the host when the host follows its instructions. This is expected but should be considered when running on sensitive hosts.