ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

US Stock Market NYSE NASDAQ DOW

v1.0.0

Get US stock market data (NYSE, NASDAQ, and major indices) via FinanceAgent on OneKey Gateway.

0· 52·0 current·0 all-time
by@ai-hub-admin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (get US stock data via OneKey FinanceAgent) align with the declared npm dependency and the described API calls to the OneKey agent_router endpoint.
Instruction Scope
SKILL.md only instructs setting an OneKey API key, installing/using the @aiagenta2z/onekey-gateway npm package, and calling the OneKey gateway via CLI or curl. There are no instructions to read unrelated system files, access unrelated env vars, or exfiltrate data to unexpected endpoints beyond agent.deepnlp.org/OneKey.
Install Mechanism
Install is an npm package (@aiagenta2z/onekey-gateway) with suggested global install (npm -g). Installing npm packages is expected for this use-case but is a moderate-risk action compared with instruction-only skills; users should verify the package publisher and contents before running a global install.
!
Credentials
SKILL.md requires DEEPNLP_ONEKEY_ROUTER_ACCESS (OneKey Gateway API key), which is appropriate for the described gateway calls — but the registry metadata earlier lists no required env vars. This mismatch (metadata says none, runtime doc says key required) is an incoherence that should be resolved.
Persistence & Privilege
Skill is instruction-only with no install script that persists special privileges, and flags show always:false. It does not request permanent agent presence or modify other skills.
What to consider before installing
This skill appears to do what it claims (query stock quotes via the OneKey/FinanceAgent gateway). Before installing or using it: (1) confirm the discrepancy between the registry metadata and SKILL.md — SKILL.md requires DEEPNLP_ONEKEY_ROUTER_ACCESS but the registry shows no required env; ask the publisher to clarify. (2) Verify and inspect the npm package @aiagenta2z/onekey-gateway (publisher, source repository, recent releases) before running npm -g install; prefer a non-global install if possible. (3) Only provide an API key to services you trust; the key gives the skill access to the OneKey gateway under your account, so consider using a scoped or limited key. (4) Check that the endpoint agent.deepnlp.org and the unique_id/api_id are what you expect for the FinanceAgent integration. If the publisher can't explain the metadata mismatch or you don't trust the npm package or gateway, do not install.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bsgykg0ydw1rdqeyr1bq55n83wbng

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments