ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

FinResearchClaw

Finance, accounting, and investment research automation via the FinResearchClaw repo. Use when asked to run autonomous finance research workflows such as eve...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 58 · 0 current installs · 0 all-time installs
by@chipmunkrpa
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to operate a finance-research repo and its scripts do exactly that (clone/update a GitHub repo, create a venv, pip install, and run a research CLI). However the manifest declares no required binaries or environment variables even though the scripts assume git, python3, pip, and a 'researchclaw' package/CLI — this is a mismatch that should have been declared.
!
Instruction Scope
SKILL.md and scripts instruct the agent (and the user) to clone a remote GitHub repository and run its code (pip install -e . and researchclaw run --auto-approve). That means arbitrary third-party code will be executed locally and may perform network I/O or other side effects. The use of --auto-approve increases the chance of non-interactive actions. The instructions otherwise don't attempt to read unrelated system files or secrets.
Install Mechanism
There is no install spec (instruction-only), which is lowest-risk in principle. But bundled scripts perform git clone/fetch from a third-party GitHub URL (https://github.com/ChipmunkRPA/FinResearchClaw). Pulling and installing code from an external repo via pip install -e is expected for this purpose, but it carries the normal risk of executing upstream code. The remote is a standard GitHub URL (not an obscure host), which reduces but does not eliminate risk.
Credentials
The skill requests no credentials or environment variables and does not reference secrets. That is proportionate to its stated purpose. Note: scripts will create/activate a local venv and may cause network access during pip install or when the research code runs.
Persistence & Privilege
always is false and the skill does not request persistent or platform-wide privileges. It does not modify other skills or global agent config. The agent can run the skill autonomously (default), which is normal; combined with the code-execution behavior this raises the need for trust but not a metadata-level privilege escalation.
What to consider before installing
This skill runs code from a remote GitHub repository and will pip-install and execute that code locally (venv, pip install -e ., researchclaw run --auto-approve). That behavior is coherent with a repo-driven research runner but has inherent risk: any upstream code can execute arbitrary commands and network calls. Before installing or running: (1) inspect the remote repo contents and recent commits (or pin to a known commit), (2) ensure you trust the repository owner, (3) run install/update and example runs in a sandboxed environment or VM, (4) be cautious of the --auto-approve flag which disables interactive checks, and (5) note the skill metadata should declare required binaries (git, python3, pip) — consider adding those to the environment requirements. If you need strict controls, refuse network fetch/installation and request a vetted archive or code snapshot instead.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.2
Download zip
latestvk97e6x68x1d32686nd6ma3fhzx836ngz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

FinResearchClaw

Use this skill to operate the FinResearchClaw repo as a finance-research engine.

Execution preference

Always prefer these execution modes in order:

  1. Codex first
    • Prefer Codex / ACP Codex for repo-driven execution, code edits, and iterative finance research runs.
  2. Claude Code second
    • Use Claude Code if Codex is unavailable or the user explicitly asks for Claude.
  3. API mode last
    • Use direct researchclaw CLI / config / API-style execution only as fallback when coding-agent execution is unavailable or unsuitable.

Do not choose API mode first when Codex or Claude Code is available.

Core workflow

  1. Ensure the FinResearchClaw repo exists locally.
    • Default repo path: ~/.openclaw/workspace/AutoResearchClaw
    • GitHub repo: https://github.com/ChipmunkRPA/FinResearchClaw
  2. Select the closest finance workflow:
    • event study
    • factor model
    • accounting forecast error
    • accounting panel regression
    • valuation / investment research
  3. Prefer a coding-agent run path first.
  4. Fall back to direct CLI/config mode only if coding-agent paths are unavailable.
  5. Use example configs and starter plans when they fit.

Local helper scripts

Use these scripts when helpful:

  • scripts/install_or_update.sh — clone or update the repo locally
  • scripts/choose_runner.sh — print preferred execution order and basic availability
  • scripts/run_finance_example.sh — launch a chosen example in direct CLI mode

When the skill is installed from ClawHub, executable bits on bundled shell scripts may not be preserved on every system. If a direct script call fails with permission denied, run it with bash, for example:

bash scripts/choose_runner.sh
bash scripts/install_or_update.sh

Repo paths and examples

If needed, inspect:

  • references/examples.md

It documents the main example configs, starter experiment plans, and preferred mode selection.

Files

6 total
Select a file
Select a file to preview.

Comments

Loading comments…