ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

FireAnt Stock Checker

v1.1.0

Automated Vietnamese stock price and index checking on FireAnt.vn. Use when checking current stock prices, market indices, trading volumes, or financial info...

0· 1.7k·2 current·2 all-time
byLoc Vo@aholake
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill name/description (FireAnt stock checker) align with the included script which scrapes FireAnt.vn. However the script requires an external 'openclaw' command-line tool (used for browser automation) but the registry metadata and SKILL.md declare no required binaries or install steps. That undeclared dependency is an incoherence: a user would need the 'openclaw' binary for the skill to work, and its presence/behavior affects security.
Instruction Scope
The runtime instructions and the script stay within the stated purpose: they automate a browser to load Google/FireAnt pages, take snapshots, and parse page content for stock/index data. The script does not access unrelated files or environment variables, nor does it transmit extracted data to any third-party endpoint beyond browsing FireAnt/Google via the OpenClaw client.
Install Mechanism
There is no install spec (lowest-risk pattern) and the skill only includes a Python script. However the script executes an external binary ('openclaw') via subprocess; that binary is not provided or declared. Because the skill relies on an external tool that would be present on the host, the install footprint is small but the undeclared external dependency is noteworthy.
Credentials
The skill requests no environment variables, credentials, or config paths. The script runs subprocesses but does not attempt to read secrets or other environment variables. No unnecessary credential access is requested.
Persistence & Privilege
The skill is not forced-always and does not modify other skills or system configs. It can be invoked autonomously (disable-model-invocation=false), which is the platform default; combined with the other issues this is not itself a new concern.
What to consider before installing
This skill appears to do what it says (browse FireAnt and parse stock data), but it calls an external 'openclaw' CLI that the metadata does not declare or install. Before installing or running: (1) Confirm whether your environment includes a trusted 'openclaw' binary and understand what that binary does (source, permissions, network access). (2) If you don't have openclaw, ask the author for installation instructions or a reputable repository/homepage. (3) Consider running the script in a sandboxed environment first — it automates a browser via subprocess calls, so a malicious or compromised OpenClaw binary could perform unintended actions. (4) If you need higher assurance, request an author/homepage or review the OpenClaw client implementation; lack of author/homepage and undeclared dependencies lowers trust.

Like a lobster shell, security has layers — review code before you run it.

latestvk9727fp4m3zarhh948w8e2qf1d8193sa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments