Skillv1.0.0

ClawScan security

yumstock · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 14, 2026, 4:47 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only stock-analysis guide whose requested actions and data sources align with its stated purpose and do not request unexplained credentials or installs.
Guidance: This skill is instruction-only and internally consistent with its stated purpose of macro-gated stock analysis. Before installing or using it, consider: (1) network access — the skill expects to fetch live public data (SEC filings, FRED, CNN, etc.); ensure you are comfortable with the agent reaching those sites. (2) API keys — some data providers mentioned may require credentials; the skill does not request them explicitly, so if you provide keys to the agent elsewhere, be aware they could be used. (3) Financial/regulatory risk — the skill produces buy/hold/sell recommendations; decide if you want automated trading or publication of those outputs and be aware of liability/regulatory implications. (4) Source and provenance — there is no homepage or source code; if you want higher assurance, ask the publisher for source or an authoritative homepage. (5) Model hallucination — verify numerical computations and data fetches (especially macro calculations) since the agent could miscompute or misread data. If you require tighter control, restrict autonomous invocation or provide vetted API clients/keys rather than broad web access.

Purpose & Capability: okThe name and description (macro-gated, three-pillar stock analysis) match the instructions: the SKILL.md details macro, technical, and fundamental scoring and lists public data sources. It does not ask for unrelated credentials, binaries, or system access.
Instruction Scope: okRuntime instructions are focused on gathering public market and macro data (SEC EDGAR, FRED, CNN, Chicago Fed, BDI, ISM, LEI, treasury yields), computing indicators, and producing weighted scores and gated verdicts. The instructions do not tell the agent to read local files, system credentials, or other unrelated data, nor to transmit data to arbitrary endpoints beyond standard web sources.
Install Mechanism: okThere is no install spec and no code files; this is instruction-only, which minimizes filesystem and install risk.
Credentials: noteThe skill declares no required environment variables or credentials, which is proportional. Note: some suggested data sources (e.g., Alpha Vantage, certain paid APIs) may require API keys in practice; the SKILL.md does not request or document them. If the agent will call paid APIs, the integrator would need to supply keys externally — that is not demanded by the skill itself but should be considered by the user.
Persistence & Privilege: okThe skill does not request always: true or any special persistent privileges. It is user-invocable and uses the platform's normal model-invocation behavior.