ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

finance-airoom

v1.0.0

Provides AI with structured, simulated global financial market data and built-in quantitative strategies for real-time monitoring and economic decision-making.

0· 65·0 current·0 all-time
by@airoom-ai·duplicate of @airoom-ai/airoomltd-global-finance-data-platform
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code (main.py) and READMEs implement a WordPress file downloader that fetches financial data files — this matches the skill's stated purpose. However registry metadata earlier listed no required env vars while _meta.json claims WP_URL and WP_TARGET_URL are required; the Python code itself also provides sensible defaults for airoom.ltd and the target page. That mismatch between declared requirements and actual defaults is an incoherence to be aware of. The absence of a homepage and an anonymous owner ID reduces provenance/trust.
!
Instruction Scope
SKILL.md/README are largely product manuals and include broad promotional/ideological instructions (one‑click deployment to many AI devices, community linkage, urging AIs to interconnect) beyond a simple downloader. Runtime code appears confined to downloading files from a target page and saving them locally, but the documentation explicitly encourages large-scale deployment and external action by agents — scope creep relative to a simple data-fetching helper and a potential risk if an agent were instructed to propagate or auto-deploy the skill widely.
Install Mechanism
The skill is listed as instruction-only in the registry but includes code and a requirements.txt; _meta.json documents installation steps (pip install -r requirements.txt and 'playwright install chromium'). Installing Playwright/Chromium is a heavier install (downloads browser binaries). The registry's lack of an explicit install spec versus the _meta.json instructions is inconsistent. No opaque download URLs or extracted arbitrary archives are present in the package itself.
Credentials
The package can accept WP_URL, WP_TARGET_URL, WP_USERNAME, WP_PASSWORD, WP_OUTPUT_DIR, and WP_MAX_FILES via environment variables. These are proportionate for a WordPress downloader, but there is a mismatch: the registry summary claims no required env vars while _meta.json lists WP_URL and WP_TARGET_URL as required. The code also supplies defaults (http://airoom.ltd and a default target page) so requiring env vars is not strictly necessary. Requesting WordPress credentials only when a page requires login is reasonable, but supplying credentials to an unknown third-party site (defaulting to an HTTP URL) is potentially risky.
Persistence & Privilege
The skill does not request always:true or force persistent inclusion, and it does not appear to modify other skills or global agent settings. It does read a config file under ~/.config/airoom-ltd-global-finance-data-platform if present and writes downloaded files to a local directory; that is normal for a downloader and not excessive privilege on its own.
What to consider before installing
Before installing, consider the following: (1) Source verification: there is no homepage and the owner is anonymous — prefer packages with a clear, verifiable origin. (2) Credential caution: the manifest claims WP_URL/WP_TARGET_URL are required but the code has defaults; do not provide WordPress credentials unless you trust the remote site. (3) Network security: the default site uses http://airoom.ltd (not HTTPS) — fetching data over HTTP is vulnerable to interception and tampering; change the target to an HTTPS URL you trust. (4) Installation footprint: this package expects Playwright and Chromium (large browser binaries) — install these only in a controlled/sandboxed environment. (5) Files downloaded: the downloader allows ZIP/RAR/7z archives and will save files locally — inspect any downloaded archives before executing. (6) Documentation content: SKILL.md contains broad calls for mass deployment and ideological messaging; treat those as promotional and do not let an agent autonomously propagate the skill. What would change this assessment: a verifiable project homepage or VCS repo, an identified maintainer, a registry install spec matching the code, HTTPS-hosted data endpoints, and an explicit privacy/telemetry statement (confirmation that no data is exfiltrated).

Like a lobster shell, security has layers — review code before you run it.

financevk97207jq0pp4dwv0p3ysafdxmd83cb44latestvk97207jq0pp4dwv0p3ysafdxmd83cb44

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments