Skillv0.1.1

ClawScan security

Stock Fundamentals · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 7, 2026, 3:56 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, runtime instructions, and requirements are coherent with a local yfinance-based stock fundamentals analyzer and do not request unrelated credentials or installs.
Guidance: This skill appears to do what it says: run a local Python script that uses yfinance to produce fundamentals. Before installing, confirm you trust the skill source/owner since it will execute Python code on the host when invoked. Ensure the 'uv' binary on your system is legitimate (uv will auto-install the yfinance dependency from PyPI), and be aware that installing packages from PyPI can be a vector for supply-chain risk—consider pinning versions or running in an isolated environment. No credentials are requested, but the script will perform network requests to Yahoo Finance to fetch data. If you require stronger assurance, review the included source files (provided) or run the script manually in a sandboxed VM/container prior to enabling it for your agent.

Purpose & Capability: okName/description match the code and instructions. The skill requires the 'uv' binary and depends on the yfinance package (declared in main.py), which is appropriate for pulling Yahoo Finance fundamentals.
Instruction Scope: okSKILL.md instructs the agent to run the provided local Python script via 'uv run' and explicitly forbids web scraping/curl outside yfinance. The code only accesses ticker data via yfinance and formats results; it does not read unrelated files, environment variables, or send data to external endpoints beyond the expected Yahoo Finance data access.
Install Mechanism: okThere is no external install spec; this is instruction-and-code-only. 'uv run' will auto-install yfinance per the inline dependency block in main.py, which is a reasonable, low-risk mechanism compared with fetching arbitrary binaries from unknown URLs.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths. The network access performed is proportional to the task (yfinance pulling data from Yahoo Finance).
Persistence & Privilege: okThe skill is not forced always-on (always:false), is user-invocable, and does not request elevated or cross-skill privileges or modify other skills' configurations.