finance
PassAudited by ClawScan on May 1, 2026.
Overview
This finance skill appears benign: it fetches market data from disclosed providers and stores a local cache/watchlist, with minor notes about dependency pinning and unused API-key placeholders.
This skill is reasonable to install if you want local market-data lookups. Use a virtual environment, be aware that symbols are queried through external providers, do not provide the unused Twelve Data or Alpha Vantage keys unless you modify the skill, and delete .cache/market-tracker if you do not want saved watchlist/cache data retained.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Ticker or FX symbols you ask about may be visible to Yahoo Finance/yfinance or open.er-api and may be affected by their rate limits or data quality.
The skill uses external market-data providers to answer quote requests. This is disclosed and central to the purpose, but queried symbols may be sent to third-party services.
- Stocks/ETFs/indices (via yfinance) - FX pairs (via ExchangeRate-API open access)
Use the skill only for symbols you are comfortable querying through those providers, and consider a reviewed paid provider if you need stronger reliability or privacy guarantees.
Installing later may pull newer package versions than the author tested.
The install uses unpinned lower-bound Python dependencies, so future dependency versions could change behavior. This is common for Python tools but worth noticing.
yfinance>=0.2.40 pandas>=2.0.0 requests>=2.31.0
Install in a virtual environment and consider pinning exact versions or using a lockfile for repeatable installs.
A user might provide API keys that are unnecessary for the current implementation.
The skill frontmatter names provider API keys as required environment variables, while the surrounding text frames them as optional future placeholders and the included code does not use them.
requiredEnv":["TWELVEDATA_API_KEY","ALPHAVANTAGE_API_KEY"], ... "# Optional (only if you add a paid provider later)"
Do not configure these API keys unless you intentionally extend the skill to use those paid providers; maintainers should mark them optional or remove the required-env metadata.
Someone with access to the working directory could see the saved watchlist or cached symbols.
The skill persists a local watchlist, and quote scripts also write cache files. This is expected for tracking, but it records the user's market interests locally across runs.
WATCHLIST_PATH = os.path.join(".cache", "market-tracker", "watchlist.json")Review or delete the .cache/market-tracker directory if you do not want watchlist or quote-cache data retained.