finance
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Ticker or FX symbols you ask about may be visible to Yahoo Finance/yfinance or open.er-api and may be affected by their rate limits or data quality.
The skill uses external market-data providers to answer quote requests. This is disclosed and central to the purpose, but queried symbols may be sent to third-party services.
- Stocks/ETFs/indices (via yfinance) - FX pairs (via ExchangeRate-API open access)
Use the skill only for symbols you are comfortable querying through those providers, and consider a reviewed paid provider if you need stronger reliability or privacy guarantees.
Installing later may pull newer package versions than the author tested.
The install uses unpinned lower-bound Python dependencies, so future dependency versions could change behavior. This is common for Python tools but worth noticing.
yfinance>=0.2.40 pandas>=2.0.0 requests>=2.31.0
Install in a virtual environment and consider pinning exact versions or using a lockfile for repeatable installs.
A user might provide API keys that are unnecessary for the current implementation.
The skill frontmatter names provider API keys as required environment variables, while the surrounding text frames them as optional future placeholders and the included code does not use them.
requiredEnv":["TWELVEDATA_API_KEY","ALPHAVANTAGE_API_KEY"], ... "# Optional (only if you add a paid provider later)"
Do not configure these API keys unless you intentionally extend the skill to use those paid providers; maintainers should mark them optional or remove the required-env metadata.
Someone with access to the working directory could see the saved watchlist or cached symbols.
The skill persists a local watchlist, and quote scripts also write cache files. This is expected for tracking, but it records the user's market interests locally across runs.
WATCHLIST_PATH = os.path.join(".cache", "market-tracker", "watchlist.json")Review or delete the .cache/market-tracker directory if you do not want watchlist or quote-cache data retained.