ClawHub

finance

v1.1.2

Track stocks, ETFs, indices, crypto (where available), and FX pairs with caching + provider fallbacks.

14· 9.4k·72 current·78 all-time
by@anton-roos
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Code implements price lookups (yfinance for stocks, open.er-api.com for FX), historical series, and a local watchlist — this matches the skill description. However the SKILL.md metadata advertises requiredEnv entries (TWELVEDATA_API_KEY, ALPHAVANTAGE_API_KEY) and a stateDirs path ('.cache/finance') that do not appear in the registry metadata and do not match the code (which uses '.cache/market-tracker'). That mismatch is inconsistent but not necessarily malicious.
Instruction Scope
Runtime instructions are narrow and explicit: create a virtualenv, pip install requirements, run the provided scripts. The scripts read/write a local cache and watchlist and call the expected external providers (Yahoo via yfinance and open.er-api.com). The instructions do not ask the agent to read unrelated system files or exfiltrate data to unexpected endpoints.
Install Mechanism
There is no remote install script or arbitrary-download step. The SKILL.md tells the user to create a venv and pip install from requirements.txt (yfinance, pandas, requests) — standard for a Python script bundle. No suspicious third-party URLs or archive extraction steps are present.
!
Credentials
Registry metadata reports no required env vars, but SKILL.md's embedded metadata lists TWELVEDATA_API_KEY and ALPHAVANTAGE_API_KEY as requiredEnv (and providers.md mentions optional paid providers). The code does not read those env vars. Asking for API keys in documentation without implementing their use is a risky mismatch: users might export sensitive keys unnecessarily. Also the SKILL.md stateDirs ('.cache/finance') differs from the actual cache path used by the scripts ('.cache/market-tracker').
Persistence & Privilege
The skill writes cache files and a watchlist under a local .cache directory ('.cache/market-tracker'). This is expected for a market-tracking tool. 'always' is false and the skill does not request system-wide privileges. The metadata/stateDirs mismatch is worth noting so users know where files will actually be stored.
What to consider before installing
What to check before installing: - Do not export or provide API keys (TWELVEDATA_API_KEY, ALPHAVANTAGE_API_KEY) unless you confirm the code actually uses them; the packaged scripts do not read these env vars today. Avoid putting sensitive keys in your environment for this skill unless you add a provider that needs them and you review the implementation. - Expect the skill to create and write files in your project under .cache/market-tracker (watchlist.json, cached JSON). The SKILL.md metadata mentions .cache/finance but the code uses .cache/market-tracker — verify which path is acceptable for you. - The scripts make outbound network requests to open.er-api.com and to Yahoo via yfinance (which performs HTTP requests). If you run this in a network-restricted environment, allowlist those endpoints or run offline. - Installation requires pip packages (yfinance, pandas, requests). Run in an isolated virtualenv and inspect requirements.txt before pip installing. - If you plan to add paid providers later, review and test any code changes that read API keys; don't paste secrets until you verify the exact code paths that use them. - Overall risk: functionality appears legitimate, but packaging/metadata sloppiness could confuse users and accidentally lead to sharing secrets. If you need higher assurance, request the author fix the metadata inconsistencies and/or provide a minimal README listing exactly which env vars the code reads.

Like a lobster shell, security has layers — review code before you run it.

Plugin bundle (nix)
Skill pack · CLI binary · Config
SKILL.mdCLIConfig
Config requirements
Required envTWELVEDATA_API_KEY, ALPHAVANTAGE_API_KEY
State dirs.cache/finance
latestvk9761ggzej1yxqcmqbgf40kfw580bcpm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Config example

Starter config for this plugin bundle.

# Optional (only if you add a paid provider later)
# export TWELVEDATA_API_KEY="..."
# export ALPHAVANTAGE_API_KEY="..."

Comments