ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

PineTS - PineScript executor

v1.0.0

Run Pine Script indicators from the command line using pinets-cli. Use when asked to execute, test, or analyze Pine Script indicators, calculate technical an...

4· 701·0 current·0 all-time
byAlaa-eddine K.@alaa-eddine
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name & description (PineScript executor) match the declared requirement (the 'pinets' binary) and the SKILL.md usage. The commands/examples all relate to running Pine Script indicators and producing JSON output.
Instruction Scope
SKILL.md stays focused on running pinets and supplying candle data via symbol or --data JSON. It references fetching live Binance data (i.e., network access) and suggests using npx to run the CLI, which implicitly causes remote code execution when run via npx. The instructions do not ask the agent to read unrelated system files, environment secrets, or post outputs to arbitrary endpoints.
Install Mechanism
The skill is instruction-only (no install spec), but the README suggests npm install -g or npx pinets-cli. Using npx will fetch and execute code from the npm registry on demand — expected for this tool but carries the usual risk of executing remote package code if you don't trust the package/source. The SKILL.md points to a GitHub repo (QuantForgeOrg/pinets-cli), which provides traceability.
Credentials
The skill declares no required environment variables or credentials. That is proportionate to the described use; SKILL.md does not ask for secrets. Note: if you run pinets and it fetches private/exchange APIs or requires API keys, the README does not document those keys — you should confirm requirements before providing any credentials.
Persistence & Privilege
always is false and there is no install/daemon behavior. The skill does not request persistent elevated privileges or modifications to other skills/configs.
Assessment
This skill is coherent and appears to be a documentation wrapper for the pinets-cli npm tool. Before installing or running it: 1) prefer installing the pinets-cli package yourself (npm install -g) or inspect the package source on the linked GitHub repo rather than blindly running npx; npx downloads and runs code from the npm registry at runtime. 2) Be aware the CLI may fetch market data over the network (Binance or other endpoints) — confirm it doesn't require or leak any API keys you don't want to share. 3) If you will run it in an automated agent, ensure the runtime environment already has the expected pinets binary or that installing from npm is acceptable for your security posture.

Like a lobster shell, security has layers — review code before you run it.

latestvk978j6mdas2vdjbr1qfkb70qan816dh5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis
Binspinets

Comments