Jarvis Stock Monitor
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a disclosed stock alert tool, but it runs a background monitor and may use third-party APIs or notification credentials, so review the configuration before use.
Before installing, confirm the package name/path, review the watchlist and cost values, and decide whether you are comfortable with periodic background monitoring and third-party market/news or notification services. If using email or Feishu alerts, use limited-purpose credentials and verify recipients.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
After starting it, the monitor can keep running in the background and periodically contact market data services.
The control script starts a long-running background monitor and records its PID/logs. This is disclosed and purpose-aligned for stock alerts, but it continues operating until stopped.
nohup python3 "$SCRIPT_DIR/monitor_daemon.py" > "$LOG_DIR/monitor.log" 2>&1 & echo $! > "$PID_FILE"
Use the provided status, log, and stop commands, and only start the daemon when you want ongoing monitoring.
Third-party market/news providers may see the stock names or symbols that the user asks the tool to analyze.
The analyzer sends stock names/symbols to external financial data providers. This is expected for news and market analysis, but it can reveal which securities are being monitored.
url = f"https://searchapi.eastmoney.com/api/suggest/get"
params = {
"input": name,
"type": 14,
"count": limit
}Only configure securities you are comfortable querying through these providers, and review optional notification settings before enabling them.
If enabled, the skill could use the configured webhook or email account to send alert messages containing financial watchlist details.
The sample configuration supports optional webhook and SMTP credentials for notifications. They are disabled/placeholders by default and are purpose-aligned, but they are still account credentials if a user fills them in.
FEISHU_WEBHOOK = None
EMAIL_CONFIG = {
"enabled": False,
"smtp_server": "smtp.example.com",
"username": "your_email@example.com",
"password": "your_password"Use dedicated or app-specific notification credentials, restrict recipients/webhook scope, and avoid storing high-value passwords directly in the config file.
A user following the documentation literally could install or navigate to a differently named package/path.
The setup instructions reference stock-monitor-pro while the evaluated registry slug is jarvis-stock-monitor. This naming/path mismatch is a provenance and usability ambiguity rather than evidence of malicious behavior.
clawhub install stock-monitor-pro ... cd ~/.openclaw/workspace/skills/stock-monitor-pro/scripts
Verify the exact ClawHub slug and local skill directory before running scripts, and prefer the evaluated package name unless the publisher clarifies the rename.