Skillv1.0.1

ClawScan security

finance-analyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 11, 2026, 10:44 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are coherent with its stated purpose of parsing Excel/CSV financial statements and computing metrics; it does not request unrelated credentials or appear to exfiltrate data.
Guidance: This skill appears to do what it says: parse provided Excel/CSV files and compute financial metrics. Before installing/running: (1) Review and run the script in a controlled environment (virtualenv or sandbox) and avoid installing packages system-wide. (2) Only feed data files you intend to analyze — the script will read the files you provide and may write output JSON if --output is used. (3) The script contains no network calls or credential usage in the included code, but installing packages via pip executes code from PyPI during install; if you are cautious, install dependencies in an isolated environment. (4) If you need higher assurance, open the script locally and inspect it (no obfuscated code or external endpoints were found in the provided file).

Review Dimensions

Purpose & Capability: okThe name/description match the actual artifacts: SKILL.md describes parsing Excel/CSV financial statements and the repository includes a Python script that implements that functionality. The requested Python packages (pandas, openpyxl) are appropriate and proportionate for the task. No unrelated binaries, credentials, or config paths are requested.
Instruction Scope: okRuntime instructions are limited to: obtain the user's Excel/CSV file, install pandas/openpyxl, run the bundled script, and interpret the JSON output. The script reads only the provided file (and optionally a specified sheet) and computes metrics. The SKILL.md does not instruct reading arbitrary system files, environment variables, or sending data to external endpoints.
Install Mechanism: noteThere is no formal install spec (instruction-only + bundled script). SKILL.md asks the user to run `pip install pandas openpyxl`, which is reasonable for this Python tool. Note: pip installs execute code from PyPI during installation; the listed packages are widely used and expected, but installing any packages should follow your normal safety practices (use a virtualenv/container if concerned).
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The script does not reference environment variables or other secrets in the provided code. This is proportionate to the described task.
Persistence & Privilege: okThe skill does not request persistent presence (always:false), does not modify other skills or system-wide settings, and does not store credentials. Autonomous invocation is allowed by default on the platform, which is normal; combined with the other findings this does not increase concern.