ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

FireAnt Stock Price Checker

v1.1.0

Automated Vietnamese stock price and index checking on FireAnt.vn. Use when checking current stock prices, market indices, trading volumes, or financial info...

0· 518·0 current·0 all-time
byLoc Vo@aholake
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (FireAnt stock/index lookup) aligns with the included script which opens FireAnt URLs and extracts prices/stats. Minor inconsistencies: _meta.json.slug is 'vietstock' while registry slug is 'fireant-stock', and SKILL.md mentions performing a Google search to find pages but the script simply constructs the FireAnt URL directly. The declared dependency on an 'agent-browser' CLI is reasonable for a headless browser workflow.
!
Instruction Scope
SKILL.md restricts actions to opening FireAnt pages via an Agent Browser and extracting data. However, the script invokes an external binary via subprocess.run using a hard-coded, user-specific absolute path '/Users/loc/Library/pnpm/agent-browser' rather than a generic 'agent-browser' on PATH. Executing arbitrary binaries at absolute paths is risky and non-portable; this is the main scope/behavior concern. The script does not access environment variables, other files, or external endpoints beyond the target site.
Install Mechanism
There is no install spec. The skill expects an external 'agent-browser' CLI but does not provide an installation step or verified source for that dependency. This increases friction and risk because a user must supply/install the dependency themselves; verify you obtain agent-browser from a trusted upstream.
Credentials
The skill requests no environment variables, no credentials, and no config paths. The lack of requested secrets is proportionate to the stated purpose.
Persistence & Privilege
always is false and the skill does not request persistent or elevated privileges. It does not modify other skills or system configs. Autonomous invocation is allowed by default (disable-model-invocation=false) which is normal for skills and not, by itself, a concern.
What to consider before installing
This skill appears to do what it says (fetch and parse FireAnt pages) but review before use: 1) Inspect and, if needed, modify the hard-coded agent-browser path in scripts/check_stock.py — it should call a trusted binary on PATH, not /Users/loc/Library/…; 2) Verify the source and integrity of the 'agent-browser' CLI before installing/running it; 3) Note the metadata mismatch (slug 'vietstock' vs registry 'fireant-stock') — this may indicate sloppy packaging; 4) Run the script in an isolated environment (sandbox/container) first, and open the snapshot output to ensure it contains only public web content; 5) If you need to permit autonomous invocation, be extra cautious because the script will execute a local binary. If you cannot verify the agent-browser binary's origin, do not run this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk973je6kbv8f9bpjq1vmgebjt981gajr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments