Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Finance Analyst
v1.0.0Professional Financial Advisor (FA) skill for primary market financing - replaces traditional investment advisory services with AI-powered project assessment...
⭐ 0· 319·2 current·2 all-time
byJustin Liu@zhenstaff
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL describes a full Python package (fa_advisor) with modules, PDF/OCR, investor DB, and executable APIs. The registry bundle contains only documentation (SKILL.md, README, CHANGELOG) and no Python package or code files. Metadata mentions 'pip install -e .', but there is no install spec and no local package to install. Requiring only 'python3' is insufficient for the claimed capabilities.
Instruction Scope
Instructions ask the agent to collect company financials and optionally parse user-supplied PDFs and scanned docs (OCR), and to generate reports and investor matches. Those actions are coherent with the skill's purpose, but the provided runtime examples assume the fa_advisor package exists locally or is installed. The docs also instruct adding an investor DB under fa_advisor/data — this implies filesystem writes and package installation that are not supported by the bundle. The instructions do not request unrelated system credentials.
Install Mechanism
No install spec is present in the registry bundle (lowest-risk in principle). However, SKILL.md metadata and README recommend 'pip install -e .' and system packages (tesseract, poppler, ghostscript). Because no package files are included, following those install instructions would cause the agent or user to fetch/install code from outside sources (e.g., the GitHub homepage). This mismatch creates a risk if the agent attempts to execute remote installs from an unverified source.
Credentials
The skill declares no required environment variables, no credentials, and no protected config paths. That is proportionate to the current instruction-only bundle. Note: planned integrations with external data sources (Crunchbase, PitchBook) are listed in changelog but no API keys are requested here.
Persistence & Privilege
always is false and the skill is user-invocable. The skill does not request persistent privileges or system-wide configuration changes in the provided files. The instructions imply installing a Python package and creating data files in a package directory, which would require write access if the user chooses to install it, but the bundle does not itself persist or modify system settings.
What to consider before installing
This skill's documentation describes a full Python package but the registry bundle contains only docs—no code or install script—so it will not work as-is. Before installing or running anything: (1) Inspect the GitHub homepage referenced to verify the repository actually contains the code and review it for unexpected network calls or credential usage. (2) Do not run 'pip install -e .' or install system OCR/pdf tools from an untrusted source on your primary machine—use an isolated VM or container. (3) Be cautious about uploading sensitive financial PDFs or confidential company data; the tool requests parsing of PDFs which could be sent to external services if the implementation does so. (4) If you want only advisory conversation, use the text-based instructions rather than attempting to install unknown code. If you provide the repository URL or the missing package files, I can re-evaluate with higher confidence.Like a lobster shell, security has layers — review code before you run it.
latestvk97a7g24hm02zaeeta5f5fh3zs82as1k
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
💼 Clawdis
OSmacOS · Linux · Windows
Binspython3