Version
5.0.0
Status: pending_audit
Created: 1/16/2026, 8:01:29 PM
LatestaiWARN
Risk: mediumStarted: 1/16/2026, 8:02:23 PMCompleted: 1/16/2026, 8:02:33 PM
View report details
{
"notes": "No evidence of obfuscation, encoded payloads, prompt injection, or credential scope overreach in the provided materials.",
"risks": [
{
"category": "network",
"evidence": "README/skill description references Yahoo Finance, CNN Fear & Greed, SEC EDGAR, and Google News RSS for breaking news; analyze_stock.py fetches external data.",
"severity": "medium",
"recommendation": "Explicitly document and declare all outbound network domains/endpoints in the skill metadata and ensure requests are limited to those domains."
},
{
"category": "filesystem",
"evidence": "Readme specifies portfolio storage at ~/.clawdbot/skills/stock-analysis/portfolios.json (local persistent file).",
"severity": "low",
"recommendation": "Document local storage behavior clearly and ensure no sensitive data is written without user consent."
}
],
"summary": "Skill appears to fetch market data from multiple external sources and stores portfolios locally; no obfuscation or exfiltration indicators found. Network destinations are implied in docs but not explicitly declared in the manifest.",
"verdict": "warn",
"allowNetwork": [
"finance.yahoo.com",
"query1.finance.yahoo.com",
"money.cnn.com",
"www.sec.gov",
"news.google.com"
],
"requireHumanReview": true
}dependencyPASS
Risk: lowStarted: 1/16/2026, 8:02:23 PMCompleted: 1/16/2026, 8:02:23 PM
View report details
{
"requires": {
"env": [],
"bins": [
"uv"
],
"config": [],
"anyBins": []
},
"installers": [],
"references": {
"tools": [],
"connectors": []
},
"dependencies": []
}licensePASS
Risk: lowStarted: n/aCompleted: n/a
View report details
{
"license": "MIT",
"allowlisted": true
}metadataPASS
Risk: lowStarted: n/aCompleted: n/a
View report details
{
"name": "Stock Analysis",
"type": "tool",
"license": "MIT",
"version": "5.0.0",
"homepage": "https://finance.yahoo.com",
"security": {
"openSource": true,
"safeListed": false,
"auditRequired": true,
"requireSource": false,
"requiresAudit": true,
"repositoryHost": null,
"declaredOpenSource": true,
"declaredAuditRequired": null,
"repositoryHostAllowed": null
},
"repository": null,
"description": "Analyze stocks and cryptocurrencies using Yahoo Finance data. Supports portfolio management (create, add, remove assets), crypto analysis (Top 20 by market cap), and periodic performance reports (daily/weekly/monthly/quarterly/yearly). 8 analysis dimensions for stocks, 3 for crypto. Use for stock analysis, portfolio tracking, earnings reactions, or crypto monitoring.",
"sourceBytes": 41325,
"capabilities": [
"finance-data-read",
"portfolio-management"
],
"sourceCommit": null,
"sourceSha256": "4abcc6a155c7f6906b79850f5e2a83e55857d85af52602331387b5a861dcac64"
}sandboxPASS
Risk: lowStarted: 1/16/2026, 8:02:23 PMCompleted: 1/16/2026, 8:02:23 PM
View report details
{
"reason": "sandbox deferred in v1",
"skipped": true
}staticPASS
Risk: lowStarted: 1/16/2026, 8:02:23 PMCompleted: 1/16/2026, 8:02:23 PM
View report details
{
"flags": [],
"fileCount": 6,
"sourceScan": {
"totalFiles": 6,
"scannedFiles": 6,
"skippedBytes": 0,
"skippedFiles": 0,
"suspiciousFiles": [
{
"path": "App-Plan.md",
"reasons": [
"network",
"exfil",
"crypto"
],
"excerpts": [
" │ HTTPS/REST",
" dio: ^5.0.0 # HTTP client",
"3. Webhook handlers for subscription events",
"│ PostgreSQL │ │ Redis │ │ S3 │",
"- **S3** - Static assets, reports",
"| S3 + CloudFront | $10-20 |",
"Transform the stock-analysis skill into **StockPulse**, a commercial mobile app for retail investors with AI-powered stock and crypto analysis, portfolio tracking, and personalized alerts.",
"- Basic stock/crypto analysis",
" - `analysis/crypto.py`"
]
},
{
"path": "README.md",
"reasons": [
"network",
"crypto"
],
"excerpts": [
"- [Yahoo Finance](https://finance.yahoo.com) - Price, fundamentals, earnings",
"- [CNN Fear & Greed](https://money.cnn.com/data/fear-and-greed/) - Market sentiment",
"- [SEC EDGAR](https://www.sec.gov/edgar) - Insider trading (Form 4)",
"| **Crypto Analysis** | Top 20 cryptos: market cap, category, BTC correlation, momentum |",
"### Analyze Crypto",
"### Crypto (3 dimensions)"
]
},
{
"path": "SKILL.md",
"reasons": [
"network",
"crypto"
],
"excerpts": [
"homepage: https://finance.yahoo.com",
"- **Insider Activity**: Net buying/selling from SEC Form 4 filings (90-day window)",
"description: Analyze stocks and cryptocurrencies using Yahoo Finance data. Supports portfolio management (create, add, remove assets), crypto analysis (Top 20 by market cap), and periodic performance reports (daily/weekly/monthly/quarterly/",
"Analyze US stocks and cryptocurrencies using Yahoo Finance data. Includes portfolio management, crypto support, and periodic analysis.",
"**Crypto Analysis Dimensions:**"
]
},
{
"path": "TODO.md",
"reasons": [
"network",
"crypto"
],
"excerpts": [
"- [ ] Calculate net shares bought/sold",
"- [ ] Calculate net value in millions USD",
"- [ ] Add request counter/tracker if needed",
"### v5.0.0 (Current) - Portfolio & Crypto",
"✅ Crypto fundamentals (market cap, category, BTC correlation)"
]
},
{
"path": "scripts/analyze_stock.py",
"reasons": [
"network",
"crypto",
"secrets"
],
"excerpts": [
" \"\"\"Fetch stock data from Yahoo Finance with retry logic.\"\"\"",
" # Fetch earnings history",
" # Fetch analyst info",
"# Crypto category mapping for sector-like analysis",
"def detect_asset_type(ticker: str) -> Literal[\"stock\", \"crypto\"]:",
" return \"crypto\"",
" \"BNB-USD\": \"Exchange Token\","
]
},
{
"path": "scripts/portfolio.py",
"reasons": [
"crypto"
],
"excerpts": [
"def detect_asset_type(ticker: str) -> Literal[\"stock\", \"crypto\"]:",
" return \"crypto\"",
" # Allow any *-USD ticker as crypto (flexible)"
]
}
]
}
}