ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

India NSE stock market data

v1.0.0

Get India NSE stock market data via FinanceAgent on OneKey Gateway.

0· 47·0 current·0 all-time
by@ai-hub-admin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
SKILL.md clearly describes calling the OneKey Gateway (aiagenta2z/financeagent get_india_stock_market_nse_india) to fetch NSE data; that capability aligns with the skill name and description. However, the registry metadata claims no required env vars or installs while the SKILL.md requires DEEPNLP_ONEKEY_ROUTER_ACCESS and an npm package, which is an inconsistency in declared purpose vs. actual requirements.
Instruction Scope
Runtime instructions only show setting an API key, installing/using the @aiagenta2z/onekey-gateway package, and calling the OneKey agent endpoint (or using npx). The instructions do not ask the agent to read unrelated local files, other credentials, or send data to unexpected endpoints beyond the documented agent_router URL.
Install Mechanism
There is no install spec in the registry, but SKILL.md instructs installing an npm package (@aiagenta2z/onekey-gateway) and shows npm/npx usage. Using an npm scoped package is a common pattern, but because the package author and source are not verified here, installing external npm packages carries moderate risk and should be reviewed before running globally.
!
Credentials
SKILL.md declares DEEPNLP_ONEKEY_ROUTER_ACCESS as a required API key — this is proportionate for calling the OneKey Gateway. The concern is that the registry metadata lists no required env vars (and no primary credential), so the published manifest does not reflect the skill's actual secret requirement. That mismatch may lead to accidental exposure or confusion about what credentials are needed.
Persistence & Privilege
Skill is instruction-only (no code files) and does not request always:true or any system-wide configuration changes. It does not request persistent agent privileges or modify other skills.
What to consider before installing
This skill appears to do what it claims (call a OneKey finance agent) but the package metadata is inconsistent with the runtime instructions. Before installing or using it: 1) Verify the npm package @aiagenta2z/onekey-gateway on the npm registry and review its maintainer, version history, and source code (or request a homepage/repo). 2) Do not run global npm installs unless you trust the package; prefer local installs and inspect the package contents. 3) Confirm the intended endpoint (https://agent.deepnlp.org) and that your DEEPNLP_ONEKEY_ROUTER_ACCESS key grants only the minimum necessary permissions. 4) Ask the publisher to correct the registry metadata so required env vars and dependencies are accurately declared. If you cannot verify the npm package and publisher, treat the dependency as untrusted code and avoid installing it on sensitive machines.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a25jkscm0qn8j0z6bx9wmen83x9mj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments