Back to skill
Skillv1.0.0
ClawScan security
Temp Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 26, 2026, 12:19 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's documentation and manifests claim online data-source integrations and API key usage, but the included code primarily reads local CSVs and does not declare or require the stated credentials — this mismatch is inconsistent and warrants caution before running.
- Guidance
- Do not run this skill blindly. Key concerns: (1) The documentation promises live API fetching and asks for an ALPHA_VANTAGE_API_KEY, but the included code shown works only with local CSVs — verify whether any hidden/remaining code does network calls before providing API keys. (2) The manifests/docs disagree about dependencies (yfinance/plotly appear in README/SKILL.md but not in manifest); install only the packages you need and inspect imports. (3) Review the full optimized_risk_parity_skill.py and optimized_main.py for any network, subprocess, or filesystem writes (the provided excerpt is truncated and contains an apparent unfinished return referencing an undefined variable). Run the code in a sandboxed environment with non-sensitive sample CSVs first, and consider static inspection or running with tracing to detect unexpected outbound connections. If you intend to use live APIs, only supply API keys after confirming exactly which module will use them and where keys are read from.
Review Dimensions
- Purpose & Capability
- concernThe SKILL.md and README claim integration with Yahoo Finance (yfinance), Alpha Vantage, and Finnhub and instruct setting ALPHA_VANTAGE_API_KEY, but the provided Python code focuses on loading local CSV files and contains no obvious network/API calls in the visible portions. The manifest dependencies also omit yfinance/plotly while SKILL.md's pip install list includes them. These discrepancies mean the declared capabilities (live API fetching) do not match the actual code and requirements.
- Instruction Scope
- noteRuntime instructions tell the agent/user to run scripts that operate on local CSVs and mention configuring an Alpha Vantage API key. The shipped scripts (optimized_main.py and optimized_risk_parity_skill.py) as shown read local CSV, compute metrics, and write reports/charts — they do not (in the visible code) request or transmit secrets. However the SKILL.md allows/mentions free API sources and an API key; that expands the expected scope but is not reflected in the code. Also the SKILL.md references a default path under C:\Users\... which may cause accidental use of a local file.
- Install Mechanism
- okThere is no automated install spec (instruction-only install). That minimizes supply-chain risk from downloads. The SKILL.md suggests pip installing typical data-science packages (pandas/numpy/matplotlib/seaborn/plotly/yfinance). Those are expected for this domain; no remote/executable download URLs are present in the package.
- Credentials
- concernThe SKILL.md instructs setting ALPHA_VANTAGE_API_KEY but the skill metadata lists no required environment variables and the visible code does not reference any env var. This mismatch is a red flag: either the docs are outdated (harmless) or parts of the skill (not visible in truncated code) use credentials but do not declare them. Users should not supply API keys until confirming where/if they're used.
- Persistence & Privilege
- okThe skill does not request persistent or privileged presence (always is false). It appears to operate as a run-on-demand script that reads CSVs and writes reports/charts into the filesystem; no evidence of modifying other skills or agent configs was found in the visible files.