Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Investment Research Analyst
v1.0.0Multi-agent investment research framework simulating a professional trading firm. Performs comprehensive stock analysis including fundamentals, news, sentime...
⭐ 0· 60·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (multi‑agent investment research) aligns with the SKILL.md content: it references appropriate data sources (akshare for A‑shares, yfinance for US tickers) and describes the expected analyses. However, the skill cites Python libraries (akshare, yfinance) and external data sources (Twitter/X, Reddit, StockTwits, broker ratings, institutional holdings) without declaring dependencies, install steps, or required API keys — a mismatch between declared requirements (none) and what the instructions actually assume.
Instruction Scope
Instructions explicitly direct fetching financials, social‑media sentiment, short interest/insider/institutional data, and then deploying a public Dashboard via a 'deploy' tool. The SKILL.md gives no constraints or explicit data source endpoints and asks the agent to publish/share results; that grants broad discretion to access external web APIs or scraping and to transmit potentially sensitive outputs to an external endpoint. There is also an implied multi‑agent orchestration but no guardrails about what data may be included in published reports.
Install Mechanism
No install specification or code files are provided (instruction‑only), which is low risk in itself. But Python code examples import akshare and yfinance — these packages may not be present in the runtime, meaning the agent might attempt to pip install them or fail. The absence of install instructions is an operational omission rather than direct maliciousness, but it is an incoherence the user should be aware of.
Credentials
The skill requests no environment variables or credentials, yet operationally it likely needs API keys/credentials for some data sources (Twitter/X API, paid data providers, or a deploy/publishing service). Not declaring these credentials is a mismatch: the agent might try to use whatever credentials are available in the environment or prompt for new ones. That increases the risk of unintended credential use or accidental data exfiltration.
Persistence & Privilege
No 'always: true' or other elevated persistence flags are set. The skill is user-invocable and allows autonomous model invocation (platform default). It does not declare writing to other skill configs or system paths. No extra privilege requests are visible.
What to consider before installing
This skill appears to do legitimate investment research but has operational gaps you should resolve before use. Ask the author (or require) clear declarations for: (1) which Python packages must be installed (akshare, yfinance, any sentiment or scraping libs) and an install plan; (2) which external services/APIs will be used and what credentials they require; and (3) what the 'deploy' tool is, where it will publish reports, and who can access published links. If you run it, prefer an isolated environment, do not supply high‑privilege credentials, and confirm the deploy target and sharing settings so sensitive inputs or proprietary data are not accidentally published. If you need higher assurance, request the skill add explicit dependency and credential fields or provide a vetted implementation that limits network publishing.Like a lobster shell, security has layers — review code before you run it.
b2bvk9707r8d87fxa2cqaggc07czrx83kbq3investment-researchvk9707r8d87fxa2cqaggc07czrx83kbq3latestvk9707r8d87fxa2cqaggc07czrx83kbq3multi-agentvk9707r8d87fxa2cqaggc07czrx83kbq3stock-analysisvk9707r8d87fxa2cqaggc07czrx83kbq3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.