FA Advisor
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is coherent for financial advisory analysis and shows no artifact-backed malicious behavior, but it handles sensitive business/financial information and should be used as decision support rather than a replacement for professional advice.
This appears to be a purpose-aligned financial-analysis skill rather than a malicious one. Before installing, review the Python package and dependencies, use a virtual environment, provide only documents you intend to analyze, protect generated reports, and treat all valuations or investment recommendations as draft analysis that needs human professional review.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user points the skill at the wrong file, sensitive business or financial information could be included in generated analysis or reports.
The skill can read and process user-supplied financial PDFs and scanned business documents. This is central to the stated purpose, but it means users may expose confidential company or financial material to the local analysis workflow.
financial_data = await advisor.parse_financial_pdf("financial_statement.pdf") ... text = await advisor.ocr_pdf("scanned_business_plan.pdf", language='eng+chi_sim')Use only intended documents, review generated summaries before sharing, and keep confidential inputs in a controlled workspace.
Installing the package may bring in Python dependencies and local package setup behavior that users should understand before use.
The skill expects a local editable Python package install. That is normal for a Python-based skill, but users should review the local package files and dependencies before installing, especially because the registry summary separately describes the skill as having no install spec.
"requires":{"bins":["python3"],"env":[],"config":[]},"install":["pip install -e ."]Install in a virtual environment, review pyproject.toml/requirements files, and reconcile the registry install metadata with the documented setup steps.
A user might treat generated valuations, fundraising advice, or investment recommendations as authoritative professional advice.
The skill uses strong professional-advisor framing in a high-stakes financial context. This appears aligned with the product purpose, but the wording could lead users to over-rely on AI-generated valuation or investment recommendations.
replaces traditional investment advisory services ... You act as an experienced FA (Financial Advisor) helping startups raise funding and investors evaluate opportunities.
Treat outputs as analytical drafts or decision support and verify important fundraising, legal, tax, and investment decisions with qualified professionals.
Generated files may contain confidential company, fundraising, valuation, or due-diligence details that could be exposed if stored or shared carelessly.
The skill can create persistent reports and memos from sensitive startup and financial information. This is expected for the stated purpose, but generated artifacts may preserve confidential summaries beyond the chat session.
await advisor.generate_assessment_report(assessment, "report.pdf") ... await advisor.generate_valuation_report(valuation, "valuation.pdf") ... await advisor.generate_investment_memo(memo, "memo.pdf")
Store generated reports securely, avoid placing confidential outputs in shared folders unless intended, and delete unnecessary files after use.