Skillv3.0.0

ClawScan security

Stock Valuation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 8, 2026, 5:13 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and runtime instructions are consistent with a stock valuation/report generator; nothing in the package asks for unrelated credentials, hidden endpoints, or unexplained system privileges.
Guidance: This skill appears coherent for producing valuation reports, but note a few practical points before installing: (1) it expects Python libraries (yfinance, pandas, matplotlib, lxml, numpy) to be available — the SKILL.md uses a 'uv run --with' pattern to indicate dependency injection; ensure your runtime supports that. (2) Qualitative research steps will fetch external web pages (Seeking Alpha, Twitter/X, analyst pages) — if you have credentials or rate limits for those services, the tool may attempt to use existing CLI/tools or agent connectors; review how web_search/web_fetch and any Twitter CLI behave in your environment. (3) The PDF step uses a hardcoded macOS Chrome path and may need adjustment on Linux/Windows. (4) The skill writes cache and output files under /tmp; if you run in a multi-tenant environment, consider the privacy implications of storing intermediate data in a shared /tmp. If you need stronger assurance, verify the bundled scripts locally and run them in a sandboxed environment first.

Review Dimensions

Purpose & Capability: okName/description match the code and instructions: the scripts fetch financial data (yfinance), compute DCF/technicals, generate charts and an HTML/PDF report. The declared purpose (valuation/reporting) aligns with the code and runtime steps.
Instruction Scope: noteSKILL.md directs the agent to run local Python scripts and to perform web research (Seeking Alpha, X/Twitter, analyst pages) and save results to /tmp. This is within scope for generating qualitative research for a valuation report, but it does require the agent's web_search/web_fetch and (optionally) a 'bird' CLI to access social posts. The instructions do not ask for unrelated files or secrets, but they do rely on the agent's ability to fetch third-party web pages (which may require credentials or CLI tools if those services are rate-limited or protected).
Install Mechanism: okNo install spec is included (instruction-only install path) and all code is bundled with the skill. Scripts depend on standard Python packages (yfinance, matplotlib, lxml, pandas, numpy) but there are no remote download URLs or extract steps. Risk from install mechanism is low.
Credentials: noteThe skill requests no environment variables or secrets. It does assume certain helper tools are present: a 'uv run' wrapper (used in examples), optional 'bird' CLI for X/Twitter, and a macOS Google Chrome binary path for PDF printing. These are tooling assumptions (not requested credentials) and may fail on environments without them; they do not appear to demand unrelated credentials.
Persistence & Privilege: okThe skill does not request always: true and does not alter other skills or system-wide settings. Scripts write caches and outputs to /tmp and to /tmp/stock_valuation_cache — this is a local, limited persistence scope appropriate for the task.