Back to skill
Skillv1.0.54
ClawScan security
research analyst · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 29, 2026, 12:40 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and requested resources are consistent with a local stock/crypto analysis tool that uses public APIs and local storage.
- Guidance
- This skill appears internally consistent with its description, but review and basic precautions are recommended before use: 1) Inspect the bundled Python scripts (they are included) if you want assurance; the package claims no eval/exec/subprocess usage and the code snippets provided match that. 2) Install dependencies in an isolated virtual environment or container (python -m venv / docker) to limit supply-chain risk from PyPI. 3) Run the provided verify_install.sh to confirm the expected files and simple pattern checks. 4) Be aware portfolio data is stored locally (~/.clawdbot/skills/research-analyst/portfolios.json) — if that contains sensitive financial data, restrict file permissions or set CLAWDBOT_STATE_DIR to a secure location. 5) If you require stronger assurance, manually verify the dependency hashes on PyPI and review full script contents (especially network endpoints) before running.
Review Dimensions
- Purpose & Capability
- okName/description (research analyst) align with included Python scripts and declared dependencies (yfinance, requests, pandas, etc.). Required binaries (python3, pip) and optional CLAWDBOT_STATE_DIR for local storage are appropriate for the stated purpose.
- Instruction Scope
- okSKILL.md instructs running bundled Python scripts and installing pinned PyPI deps. The runtime instructions and scripts operate on public GET APIs, perform local analysis, and store portfolio data under the stated ~/.clawdbot path. The skill does not request unrelated files, credentials, or network uploads in the provided code/instructions.
- Install Mechanism
- okNo installation spec is provided (user installs requirements with pip). That matches SKILL.md which says dependencies are installed from PyPI. The dependency list is mainstream and pinned; install requires user action (pip install -r requirements.txt) which is normal. There are no remote archive downloads or opaque install URLs in the skill package.
- Credentials
- okOnly optional environment variable is CLAWDBOT_STATE_DIR for customizing local storage; no credentials or unrelated secrets are requested. The skill's use of network (Yahoo/Coingecko/Sina/EastMoney/Google News) is coherent with its stated data sources.
- Persistence & Privilege
- okThe skill stores portfolio JSON under the user's CLAWDBOT_STATE_DIR (~/.clawdbot by default) and uses an internal lock file; this is expected for a portfolio manager. always:false and normal invocation settings are used. The skill does not attempt to modify other skills or system-wide settings.