Back to skill
Skillv1.0.0
ClawScan security
finddata.skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 10:27 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it is a thin client + instruction set for the FindData API and only needs a FindData API key to function; there are no unrelated credentials, installs, or hidden endpoints.
- Guidance
- This skill legitimately needs your FindData API key to work. To minimize risk, provide the key only if you trust the skill and the FindData service; prefer setting the key as an environment variable (FINDDATA_API_KEY) rather than pasting it inline into a chat message. Note the SKILL.md instructs the agent to extract a key from your message if you include it — do not share this key in public channels. If you install the skill and later suspect the key was exposed, revoke or rotate it at finddata.ai. Also verify the finddata.ai service and the skill author before using in production.
Review Dimensions
- Purpose & Capability
- okThe name/description, SKILL.md, and the included Python client all consistently target the finddata.ai API. The code calls https://finddata.ai/api endpoints and the runtime instructions describe using an X-API-Key — these requirements are coherent with the skill's stated purpose.
- Instruction Scope
- noteThe SKILL.md explicitly instructs the agent to extract a FindData API key from the user's message (or to prompt for it) and to always use the real key. That behavior is necessary for the skill to authenticate, but it means the agent will look for and accept sensitive keys in user messages — a privacy consideration. The instructions do not ask for unrelated files, credentials, or system data.
- Install Mechanism
- okNo install spec (instruction-only) and the only code file is a small, unobfuscated Python client using requests. Nothing is downloaded from arbitrary URLs and no archive extraction or package installs are required by the skill itself.
- Credentials
- noteThe skill uses a single API credential (FINDDATA_API_KEY) and an optional FINDDATA_BASE_URL. The registry metadata listed no required env vars, but the SKILL.md and client expect FINDDATA_API_KEY; this is a minor metadata mismatch but the environment access itself is proportional to the stated purpose (only the FindData API key is needed).
- Persistence & Privilege
- okThe skill does not request permanent/always-on privilege (always:false) and does not modify other skills or system settings. It runs with normal, transient permissions for an API client.