ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Stock Prices

v1.0.1

Query real-time stock prices and market data using the Stock Prices API. Responses are in TOON format—decode with @toon-format/toon. Use when fetching stock...

0· 2.8k·13 current·13 all-time
by@anthonylee1994
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, API base URL, endpoints, example requests, and decoding instructions all align with a stock-quote retrieval skill. There are no declared env vars, binaries, or config paths that are unrelated to fetching or decoding quotes.
Instruction Scope
SKILL.md only instructs the agent to call the provided HTTPS endpoint and decode the TOON response with an npm package; it does not direct access to unrelated files, environment variables, or external endpoints beyond the described API and the suggested decoder.
Install Mechanism
The skill is instruction-only (no install spec), which is low-risk. It suggests installing @toon-format/toon via pnpm for decoding; this is reasonable for the stated purpose but is an external package so verify its provenance before installing in environments with strict supply-chain requirements.
Credentials
The skill requests no environment variables, credentials, or config paths. This is proportionate to a public-stock-quote fetcher that does not advertise authenticated endpoints.
Persistence & Privilege
The skill does not request persistent/always-on privilege and uses default invocation settings. It does not instruct modifying other skills or system-wide settings.
Assessment
This skill appears coherent and limited to fetching and decoding stock data. Before installing or using it, verify two things: (1) the API host (https://stock-prices.on99.app) — confirm you trust the operator, check HTTPS/TLS and any privacy or rate-limit policies; (2) the npm package @toon-format/toon — inspect the package source, maintainers, and download counts to ensure it's legitimate. If you plan to use this with private or sensitive data, consider whether the API requires/authenticates requests and avoid embedding secrets in plain query strings. If you need guaranteed provenance, prefer an official/known data provider or self-host a vetted decoder implementation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cnq2qr9pc0gmmtwsy9e5fnh81a3xw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments