Financial Calculator Pro
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward financial calculator; the main things to notice are that its web UI can listen on the network and it uses third-party dependencies.
This skill looks benign for local financial calculations. Before using the web UI, be aware that it may be reachable on your network and that it loads/install third-party components; run it on a trusted machine/network and avoid entering highly sensitive financial details unless you restrict the server to localhost.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
On a shared or untrusted network, other devices may be able to access the calculator UI/API, although the artifacts only show calculation endpoints and no file or credential access.
The Flask UI listens on all network interfaces, which is broader than a strictly local calculator UI and can make its calculation endpoints reachable from other hosts.
app.run(host='0.0.0.0', port=port, debug=False)
Run it only on trusted networks, firewall the chosen port, or change the host binding to 127.0.0.1 if you only need local access.
Running the launcher can download third-party code into the skill directory, creating normal package supply-chain exposure.
The user-directed launcher creates a virtual environment and downloads Flask when needed. This is expected for the web UI, but the package version is not pinned in the launcher.
python3 -m venv venv
venv/bin/pip install flask --quietInstall from a trusted network/package index and consider pinning Flask to a known-good version.
If the CDN resource were compromised or unavailable, the browser-side UI could be affected. The provided artifacts do not show exfiltration behavior.
The web page loads Chart.js from a third-party CDN. This supports the charting feature and is versioned, but it still executes remote browser JavaScript.
<script src="https://cdn.jsdelivr.net/npm/chart.js@4.4.1/dist/chart.umd.min.js"></script>
Use the UI on trusted networks, or vendor the chart library locally with integrity checking if stricter supply-chain control is needed.