Options Spread Conviction Engine
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: options-spread-conviction-engine Version: 2.2.1 The skill is classified as suspicious due to several high-risk behaviors and documented vulnerabilities. The `SKILL.md` instructs the AI agent to execute `sudo ln -s /opt/homebrew/bin/yahoo-finance /usr/local/bin/yf`, which attempts privilege escalation by requiring `sudo` access to create a symlink in a system-wide executable path. Additionally, `scripts/chain_analyzer.py` uses `pickle.dump` and `pickle.load` for caching, which is a known deserialization vulnerability if an attacker can inject malicious data into the cache directory. The internal `CODE_REVIEW_REPORT.md` further highlights critical vulnerabilities such as 'Inconsistent Error Handling', 'Bare Except Clauses', and 'Missing Input Validation' across the codebase, which could lead to unpredictable behavior or be exploited for remote code execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may pull in third-party packages from package managers, so the installed code can change over time if versions are not pinned.
The setup guidance installs external dependencies and a Yahoo Finance CLI package without pinned versions; this is relevant supply-chain surface, though it is disclosed and aligned with market-data analysis.
brew install jq npm install yahoo-finance2 sudo ln -s /opt/homebrew/bin/yahoo-finance /usr/local/bin/yf
Review the setup script and dependency list before installing; prefer pinned versions or a virtual environment where possible.
Setup may execute local project code to create an environment and install dependencies.
The skill declares a local setup command that executes a helper script during environment preparation. This is normal for a Python CLI skill but should be visible to users.
kind: exec
command: "cd {baseDir} && python3 scripts/setup-venv.sh"Install only from a source you trust and inspect setup-venv.sh if you want to understand exactly what will run.
Running the command can modify a system-wide executable location.
The documented setup asks for elevated privileges to write a symlink into a system-wide PATH directory. This is disclosed, but it exceeds ordinary per-user setup.
sudo ln -s /opt/homebrew/bin/yahoo-finance /usr/local/bin/yf
Only run the sudo command if you understand why it is needed; consider using a user-local bin directory or adjusting PATH instead.
A user or agent could over-rely on the score and enter risky options trades without independent review.
The skill presents model output as an actionable trading tier. This is coherent with its stated purpose, but options trades can have real financial consequences.
| 80-100 | EXECUTE | High conviction — Enter the spread |
Treat outputs as decision support, not financial advice or permission to trade automatically; verify assumptions, risk, and account suitability before acting.