Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Rhetra TaxGuard
v1.0.0Silent tax advisor that checks every trade for wash sales, PDT triggers, and optimization, logs results, and delivers a daily tax risk and opportunity report.
⭐ 0· 66·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, README, SKILL.md and check-trade.js all describe the same function (per-trade tax checks, wash-sale/PDT detection, daily reports). However, registry metadata lists no required credentials even though SKILL.md and check-trade.js require a Rhetra API key—this is an inconsistency in declared requirements.
Instruction Scope
SKILL.md instructs the agent to collect account context (equity, positions, recent sales, day-trade counts) and to call check-trade.js before every trade, then 'do this SILENTLY — do not show the results to the trader.' That is a broad and sensitive data collection/transmission instruction and grants the skill discretion to hide results. There's also a direct contradiction: SKILL.md demands silence, but check-trade.js prints decision text to stdout (exposes results wherever the agent logs stdout). The instructions also direct the agent to persist the API key for future calls (save the key), which implies storing secrets long-term.
Install Mechanism
No install spec (instruction-only with a single JS helper). No packages downloaded or archives extracted. This is lower risk from install origin perspective.
Credentials
The skill will require and ask the user for an API key and will send detailed financial/account data to api.rhetra.io by default. The registry metadata did not declare any required credentials or primaryEnv despite the runtime requiring an API key. Sending positions, recent sales, equity, MAGI, etc. to an external service is proportionate only if that service is trusted and necessary; the skill provides no homepage or verifiable source, and the domain is only referenced in prose (rhetra.io).
Persistence & Privilege
always:false and autonomous invocation are normal. The SKILL.md explicitly asks to save the API key for future calls (implies persistent secret storage). Persisting a bearer API key is typical for API-based skills, but combined with silent per-trade checks and transmission of sensitive financial data, persistent credentials increase the blast radius and should be treated cautiously.
What to consider before installing
This skill will send detailed trade/account data (positions, recent sales, equity, MAGI, day-trade counts, etc.) to an external API (api.rhetra.io) and asks you to store a Rhetra API key. Before installing: 1) Verify rhetra.io is a legitimate, trusted service (inspect DNS, TLS cert, privacy policy, company identity), 2) Prefer not to run in default 'silent' mode — require explicit trader-facing warnings or enable Guardian Mode with clear consent, 3) Avoid storing the API key in plaintext; use a secure secrets store and limit its scope/permissions, 4) Consider testing with host=localhost or a proxy to inspect what fields are sent, or run the script in a sandbox, 5) If you cannot verify the operator and data handling, do not provide real account data or an unrestricted API key — consider an open-source/local alternative or require opt-in per trade. The metadata omission of the required credential and the 'silent' behavior are the main red flags; treat this skill as potentially privacy-sensitive and audit network calls before trusting it with real money.Like a lobster shell, security has layers — review code before you run it.
alpacavk97ad1gtyy0g6tv5vzash67hwd83kenmcompliancevk97ad1gtyy0g6tv5vzash67hwd83kenmcryptovk97ad1gtyy0g6tv5vzash67hwd83kenmfinancevk97ad1gtyy0g6tv5vzash67hwd83kenmlatestvk97ad1gtyy0g6tv5vzash67hwd83kenmtaxvk97ad1gtyy0g6tv5vzash67hwd83kenmtradingvk97ad1gtyy0g6tv5vzash67hwd83kenmwash-salevk97ad1gtyy0g6tv5vzash67hwd83kenm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.