Back to skill
Skillv1.0.0
ClawScan security
Stock Macro Market Analysis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewApr 6, 2026, 4:05 PM
- Verdict
- Review
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's description matches a market-analysis tool, but the runtime instructions reference many helper scripts and a template that are missing (and the API provider for the required API key is unspecified), so the bundle is incomplete and incoherent as delivered.
- Guidance
- Do not install or provide your STOCK_DATA_API_KEY yet. The SKILL.md references many helper scripts (tools/index_tracker.py, tools/market_breadth.py, tools/capital_flow_analyzer.py, tools/sentiment_gauge.py, tools/macro_data_fetcher.py, tools/policy_analyzer.py, tools/global_linkage.py) and a templates/daily_market_report.md file that are not included in the bundle — the only shipped code is tools/sector_rotation.py (which appears to be local processing code and contains no network or credential use). Before trusting this skill, ask the publisher to: (1) provide the missing scripts and the report template; (2) document exactly which market-data provider the STOCK_DATA_API_KEY is for and what endpoints the scripts call; (3) show any network calls those missing scripts make so you can verify where data (and your API key) would be sent. If you must test, run in a sandboxed environment and use a scoped/test API key. The current package is incomplete and should be treated with caution.
Review Dimensions
- Purpose & Capability
- noteName and description (macro/market analysis) match the requested binary (python3) and the single required env var (STOCK_DATA_API_KEY). However, the package only contains one helper (tools/sector_rotation.py) while the SKILL.md expects multiple analysis scripts; this mismatch means the shipped contents don't fully implement the stated purpose.
- Instruction Scope
- concernSKILL.md instructs the agent to execute many Python scripts (index_tracker.py, market_breadth.py, capital_flow_analyzer.py, sentiment_gauge.py, macro_data_fetcher.py, policy_analyzer.py, global_linkage.py) and to write a template at templates/daily_market_report.md. Those files are not present in the bundle. The instructions also depend on an external STOCK_DATA_API_KEY but do not name the data provider or endpoints — leaving ambiguous where credentials/requests would go. Missing files and unspecified endpoints create scope and operational ambiguity and increase risk.
- Install Mechanism
- okThere is no install spec (instruction-only), which lowers risk because nothing arbitrary is downloaded or written by an installer.
- Credentials
- noteOnly one environment variable (STOCK_DATA_API_KEY) is required, which is reasonable for a market-data-driven skill. However the SKILL.md does not identify the API provider or what the key grants access to; the included code (sector_rotation.py) does not use the env var, so it's unclear which (missing) scripts will need the credential.
- Persistence & Privilege
- okThe skill is not marked always:true and is user-invocable; no unexpected persistence or system-wide configuration changes are requested in the manifest or files provided.