claw-screener
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill provides instructions to download and install the Bun runtime from its official domain (
bun.sh). This is a well-known service and the installation method is standard for this runtime. - [COMMAND_EXECUTION]: The skill executes TypeScript scripts using the Bun runtime to perform stock screening, technical analysis, and fundamental calculations. These operations are limited to the intended functionality of the tool.
- [DATA_EXFILTRATION]: The skill communicates with external financial APIs, including
data.sec.govfor SEC EDGAR filings and Yahoo Finance for market data. It also fetches S&P 500 ticker lists from a public GitHub repository. These network operations are necessary for the skill's primary purpose and do not target sensitive personal information. - [INDIRECT_PROMPT_INJECTION]: The skill ingests data from external financial sources, which constitutes an attack surface for indirect prompt injection.
- Ingestion points: Financial metrics and ticker lists retrieved from the SEC EDGAR API, Yahoo Finance API, and GitHub.
- Boundary markers: Not explicitly defined in the output prompts.
- Capability inventory: The skill can read and write local cache databases (
sec_cache.db,price_cache.db) and a watchlist configuration file (~/.claw-screener-watchlist.json), and perform network requests to financial data providers. - Sanitization: The skill parses structured JSON and CSV data into numeric values for algorithmic analysis (Buffett's formulas and Williams %R), which significantly limits the potential for malicious instruction execution via processed data.
Audit Metadata