daily-investment-digest
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: daily-investment-digest Version: 1.0.0 The skill bundle is a well-structured tool designed to fetch investment data from the iYiou API and generate formatted Markdown reports. The scripts (fetch_events.mjs, generate_report.mjs, and run_full_report.mjs) implement robust error handling, data normalization, and pagination logic without any external dependencies or suspicious system calls. There is no evidence of data exfiltration, unauthorized network activity, or malicious prompt injection instructions.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill will contact the iYiou API to retrieve financing-event data; increasing page limits could make more external requests.
The tool performs outbound requests to a fixed external API and has bounded pagination controls. This is disclosed and purpose-aligned, but users should notice that invoking the skill contacts an external service and can make multiple page requests.
const API_URL = "https://api.iyiou.com/skill/info"; ... options.maxPage = clamp(options.maxPage, 1, 500);
Use it only for the intended financing-report task and keep the documented default max-page value unless the user explicitly requests more.
Installing and using the skill means allowing its bundled JavaScript files to run locally.
The wrapper script launches two bundled Node scripts to pipe fetch output into report generation. It uses process.execPath and fixed script paths rather than a shell command string, so this appears expected for the skill's one-command workflow.
const fetchProc = spawn(process.execPath, fetchArgs, { stdio: ["ignore", "pipe", "pipe"] });Review the bundled scripts and invoke the documented command path; avoid modifying arguments to point at unrelated scripts or inputs.
Users have less publisher/source context to rely on and should ensure their environment can run the documented Node scripts.
The registry metadata provides limited provenance and does not declare a Node runtime requirement, even though SKILL.md documents Node-based commands. This is a metadata completeness/provenance note, not evidence of malicious behavior.
Source: unknown Homepage: none ... Required binaries (all must exist): none ... No install spec — this is an instruction-only skill.
Verify the publisher/source if provenance matters, and confirm Node.js is available before relying on the skill.