Finam
v1.0.3Execute trades, manage portfolios, access real-time market data, browse and search market assets, scan volatility, and answer questions about Finam Trade API
⭐ 0· 742·2 current·2 all-time
byAlexander Panov@alexander-panov
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (trade execution, portfolio management, market data) aligns with the provided REST/gRPC references and shell/python examples. The required binaries (curl, jq, python3) and env vars (FINAM_API_KEY, FINAM_ACCOUNT_ID) are appropriate. Note: bundled scripts implement asset search and volatility scanning and provide examples for data/account queries; there is no local Python script that automatically places orders, though the README and reference docs include order placement examples (via REST/gRPC).
Instruction Scope
SKILL.md instructions and the scripts stay within the Finam API scope: obtaining a JWT from the API, calling assets/instruments/accounts endpoints, reading provided asset lists, and fetching news RSS. The only environment variable the runtime sets is FINAM_JWT_TOKEN (a session token obtained from FINAM_API_KEY). There are no instructions to read unrelated system files or exfiltrate data to unexpected endpoints.
Install Mechanism
No install spec — instruction-only with bundled Python scripts. This is low-risk compared with remote downloads. Scripts are local and executed with python3; no external archives or arbitrary-code downloads are performed by the skill.
Credentials
The skill only requests FINAM_API_KEY and FINAM_ACCOUNT_ID (and uses FINAM_JWT_TOKEN as a transient session token). Those are proportionate to interacting with Finam's API. No unrelated secrets, cloud credentials, or broad system config paths are requested.
Persistence & Privilege
Skill is not always-enabled. It only writes its own FINAM_JWT_TOKEN environment variable at runtime (for convenience). It does not request permanent system-wide privileges, modify other skills, or alter agent configurations outside its scope.
Assessment
This skill appears to be what it says: it uses your FINAM_API_KEY to obtain a short-lived JWT and then calls Finam endpoints to search assets, fetch market data, and compute volatility. Before installing: 1) Treat your FINAM_API_KEY as powerful — it may allow trading; prefer a read-only key or restricted-scope token if the provider offers it. 2) Review whether you want the agent to be able to place orders: the code included does not automatically place orders, but the docs/examples show how to do so — avoid providing keys that allow full trading if you only need market data. 3) Be aware of API rate limits (docs mention 200 req/min); the volatility scanner can issue many calls. 4) The skill sets FINAM_JWT_TOKEN in the environment for convenience — understand that this session token is stored in your process environment (short-lived). 5) If you rely on this skill in automated workflows, audit any order-placement steps and consider manual confirmation for trade actions. If you want more assurance, request the author/signer identity or a canonical source repository for the skill.Like a lobster shell, security has layers — review code before you run it.
latestvk973q90mfbj8sfez1zgean84rd84bsk2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📈 Clawdis
Binscurl, jq, python3
EnvFINAM_API_KEY, FINAM_ACCOUNT_ID