v0.1.0

Pair Trade Screener

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:57 AM.

Analysis

The artifacts describe a coherent stock pair-analysis tool with no hidden or destructive behavior, but it does require user-managed Python dependencies and an FMP API key.

GuidanceBefore installing, use a Python virtual environment, verify or pin dependencies, and keep your FMP API key private. Treat the trading signals as research support rather than guaranteed investment advice; the artifacts do not show any automatic trading or account changes.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

README.md

pip install pandas numpy scipy statsmodels requests

The setup uses user-directed, unpinned Python package installation. These packages are common and purpose-aligned, but unpinned installs depend on whatever versions the package index resolves at install time.

User impactInstalling dependencies trusts the current package sources and versions, which can affect reproducibility and supply-chain assurance.

RecommendationInstall in a virtual environment, use trusted package indexes, and pin or record dependency versions for repeatable use.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

README.md

export FMP_API_KEY="your_key_here"

Or add to `~/.bashrc` / `~/.zshrc` for persistence.

The skill needs a Financial Modeling Prep API credential and suggests optional shell-profile storage. This is expected for the stated market-data purpose, but users should treat the key as a credential.

User impactYour FMP API key is needed for market data access and could be exposed if pasted into shared logs, shell history, or a shared shell profile.

RecommendationPrefer an environment variable over command-line key entry, keep the key out of shared logs, and rotate it if exposed. The skill metadata should ideally declare the FMP API key requirement.