ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

UK Stock Market London Stock Exchange

v1.0.0

Get UK (London Stock Exchange, LSE) market data via FinanceAgent on OneKey Gateway.

0· 41·0 current·0 all-time
by@ai-hub-admin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (fetch LSE market data via FinanceAgent on OneKey Gateway) matches the SKILL.md instructions (npx/HTTP calls to agent.deepnlp.org and the aiagenta2z/financeagent API). However, the registry metadata lists no required env vars or install spec while SKILL.md explicitly requires DEEPNLP_ONEKEY_ROUTER_ACCESS and an npm dependency (@aiagenta2z/onekey-gateway). This metadata mismatch is an incoherence.
Instruction Scope
SKILL.md instructs only to set an access key, install/use the onekey gateway npm package, call the named agent API, and shows a curl POST to https://agent.deepnlp.org/agent_router. It does not direct reading of unrelated files, system paths, or transmitting data to unrelated endpoints.
Install Mechanism
Installation is via a public npm package (@aiagenta2z/onekey-gateway) invoked via npm/npx. Using an npm package is expected for this functionality but carries moderate risk if the package/publisher is unverified. No direct downloads from arbitrary URLs are present.
Credentials
Only one secret is required by the SKILL.md (DEEPNLP_ONEKEY_ROUTER_ACCESS), which is reasonable for access to a gateway API. However, the registry metadata incorrectly lists no required env vars—this mismatch could cause users to overlook that they must supply an API key.
Persistence & Privilege
The skill does not request always:true and does not declare system config or other skills' settings. It is user-invocable and can be invoked autonomously (platform default), which is expected for a network-calling integration.
What to consider before installing
This skill appears to do what its description says, but the registry metadata and the SKILL.md disagree: SKILL.md requires an API key (DEEPNLP_ONEKEY_ROUTER_ACCESS) and an npm package (@aiagenta2z/onekey-gateway) while the registry lists none. Before installing or providing credentials, verify: 1) the npm package and its publisher (search the package on npmjs.org and review its maintainer and source code); 2) the legitimacy of the endpoint (agent.deepnlp.org) and the OneKey service; 3) only provide a dedicated, least-privilege API key (not reusable production credentials); 4) prefer installing packages locally or using npx rather than global -g installs; and 5) ask the skill author to update registry metadata to reflect the required env var and dependency. If you cannot validate the npm package or endpoint, do not provide your access key.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bc8j5t6kmgxpaz3c9fe6ezn83wz9w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments