ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cfo Advisor

v0.1.0

Financial leadership for startups and scaling companies. Financial modeling, unit economics, fundraising strategy, cash management, and board financial packa...

0· 113·0 current·0 all-time
byvasan rajesh@vasan-rajesh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to provide CFO advisory capabilities and shows commands that run scripts (scripts/*.py) and reference local `references/*.md` files; however, the package contains only SKILL.md and no scripts or references. The metadata also lists python-tools. The skill does not declare Python as a required binary. This mismatch means the skill as published cannot perform the actions it documents without additional files or environment assumptions.
Instruction Scope
The SKILL.md gives explicit commands (python scripts/...) and lists local reference paths the agent should use. It also asks the agent to 'surface' triggers when it detects them in company context, but it's ambiguous how that context is obtained. The instructions do not request unrelated secrets or system paths, but they do assume access to local project files or company financial data without specifying how that data should be provided or protected.
Install Mechanism
No install specification or external downloads are present (instruction-only). That lowers install risk. There is no evidence of remote code fetch or archive extraction.
!
Credentials
The skill declares no required environment variables or credentials, which is reasonable for a pure advisory skill, but the runtime instructions expect local Python scripts and reference files. The absence of a declared Python requirement or any dependency list (e.g., packages the scripts may need) is a proportionality/accuracy problem: either the skill should require Python and list dependencies, or it shouldn't reference runnable scripts.
Persistence & Privilege
always is false and model invocation is allowed (normal). The skill does not request persistent system configuration changes or access to other skills' config. No privileged persistence is requested.
What to consider before installing
This skill looks like a legitimate CFO advisory guide, but the SKILL.md expects local Python scripts and reference files that are not included and it doesn't declare Python or dependencies. Before installing or running it, ask the publisher for the missing scripts and for a clear list of runtime requirements (Python version, pip packages). Do not run unknown Python scripts on sensitive machines until you can review their source. Also ask how the skill will obtain company financial data (manual upload vs. automatic access) and what, if any, external endpoints it will contact. If you can't get the missing files or a trusted source, treat this skill as incomplete and avoid running commands it suggests.

Like a lobster shell, security has layers — review code before you run it.

latestvk975c6dk6n4c8mhxzv79jphw35832vvf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments