ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

open-market-data

v0.1.0

Query free financial data APIs — stocks, crypto, macro, SEC filings

1· 625·1 current·1 all-time
by@anotb
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (query free financial data) align with the declared binaries (node + omd) and the SKILL.md usage examples. The omd CLI is the expected tool for this purpose and the SKILL.md documents the data sources the CLI uses.
Instruction Scope
SKILL.md only instructs the agent to run the omd CLI, configure API keys (env or CLI), and query listed public data sources. It does not instruct reading unrelated files or exfiltrating arbitrary system data.
Install Mechanism
Install uses an npm package (kind: node, package: open-market-data) that creates the omd binary. npm-based installs are common and coherent here, but they run code from the package registry (moderate trust requirement). There are no in-repo code files to inspect in this skill bundle, so the actual package contents were not analyzed.
Credentials
SKILL.md documents optional API keys (FRED, CoinGecko, Finnhub, AlphaVantage) and an EDGAR_USER_AGENT; none are declared as required by the registry, which is reasonable. The listed env vars are proportional to a data-aggregator CLI that can use multiple upstream providers.
Persistence & Privilege
The skill does not request always:true and does not declare system-wide config modification. disable-model-invocation is false (normal) so autonomous invocation is allowed by platform default — no additional persistence privileges were requested.
Assessment
This skill appears coherent: it wraps a CLI (omd) for public financial APIs and documents optional API keys. However, the install step pulls an npm package — npm packages can execute code during install and are not pre-reviewed here. Before installing, verify the npm package and upstream GitHub repository (SKILL.md points to https://github.com/anotb/open-market-data) for legitimacy and the expected version. Prefer creating/using only the specific API keys you need, and avoid exposing high-privilege credentials. If you need stronger assurance, fetch and inspect the npm package contents (or the upstream repo) before installation or run the install in an isolated environment.

Like a lobster shell, security has layers — review code before you run it.

cryptovk97dqrrrvf01pwsfxdynpvkdcs81azv2edgarvk97dqrrrvf01pwsfxdynpvkdcs81azv2financevk97dqrrrvf01pwsfxdynpvkdcs81azv2fredvk97dqrrrvf01pwsfxdynpvkdcs81azv2latestvk97dqrrrvf01pwsfxdynpvkdcs81azv2macrovk97dqrrrvf01pwsfxdynpvkdcs81azv2secvk97dqrrrvf01pwsfxdynpvkdcs81azv2stocksvk97dqrrrvf01pwsfxdynpvkdcs81azv2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis
Binsnode, omd

Install

Node
Bins: omd
npm i -g open-market-data

Comments