Stock Prices
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: stock-prices Version: 1.0.1 The skill is classified as suspicious primarily due to the `pnpm add @toon-format/toon` instruction found in `SKILL.md`. If an AI agent executes this instruction as part of skill setup or execution, it introduces a significant supply chain vulnerability. This allows the agent to install an arbitrary external package, which could lead to arbitrary code execution if the `@toon-format/toon` package (or a typosquatted version) were compromised or malicious. While the stated purpose of the skill (fetching stock prices from `https://stock-prices.on99.app`) appears benign, this capability represents a high-risk action without clear malicious intent from the skill itself, thus classifying it as suspicious rather than malicious.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your stock-symbol queries may be visible to the external API provider.
The skill directs the agent or user to call a third-party stock-price API. This is disclosed and purpose-aligned, but it means requested ticker symbols are sent to that provider.
curl "https://stock-prices.on99.app/quotes?symbols=NVDA"
Use it for non-sensitive market lookups, and avoid sending private portfolio context unless you are comfortable sharing it with the API provider.
Installing the optional decoder adds trust in an external npm package and its future versions.
The artifact suggests a user-directed package installation without pinning a version. This is relevant supply-chain exposure, but it is optional, disclosed, and directly tied to decoding the API response format.
Install the TOON decoder for parsing: `pnpm add @toon-format/toon`
If installing the decoder, verify the package name, consider pinning a version, and install it only in an appropriate project environment.