Fund Report

PassAudited by ClawScan on May 2, 2026.

Overview

This is a simple fund quote helper, but it only documents running a Python script that is not included, so users should verify the script before use.

This looks benign as an instruction-only fund reporting skill. The main thing to check is the missing scripts/fund_report.py file: only run it if you know where it came from and have reviewed or trust the code.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

If the script is obtained from an untrusted source or the relative path resolves to an unintended local file, running it could execute code outside the reviewed skill artifacts.

Why it was flagged

The only usage instruction points to a helper script, but the provided package contains only SKILL.md, so the referenced script's contents and provenance were not available for review.

Skill content

python3 scripts/fund_report.py

Recommendation

Before running the command, obtain the script from a trusted source, inspect it, and prefer a packaged version that includes the reviewed code or pins its source.