finance
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: finance Version: 1.1.2 The OpenClaw skill bundle is designed to track market data using public APIs and local caching. It uses `yfinance` for stocks/ETFs/indices and ExchangeRate-API for FX rates. File system operations are limited to a designated `.cache/market-tracker` directory for caching and watchlist persistence. The `market_watchlist.py` script uses `subprocess.run` to call `market_quote.py` within the same skill, which is a safe modularity pattern. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts against the agent beyond standard operational instructions.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Ticker or FX symbols you ask about may be visible to Yahoo Finance/yfinance or open.er-api and may be affected by their rate limits or data quality.
The skill uses external market-data providers to answer quote requests. This is disclosed and central to the purpose, but queried symbols may be sent to third-party services.
- Stocks/ETFs/indices (via yfinance) - FX pairs (via ExchangeRate-API open access)
Use the skill only for symbols you are comfortable querying through those providers, and consider a reviewed paid provider if you need stronger reliability or privacy guarantees.
Installing later may pull newer package versions than the author tested.
The install uses unpinned lower-bound Python dependencies, so future dependency versions could change behavior. This is common for Python tools but worth noticing.
yfinance>=0.2.40 pandas>=2.0.0 requests>=2.31.0
Install in a virtual environment and consider pinning exact versions or using a lockfile for repeatable installs.
A user might provide API keys that are unnecessary for the current implementation.
The skill frontmatter names provider API keys as required environment variables, while the surrounding text frames them as optional future placeholders and the included code does not use them.
requiredEnv":["TWELVEDATA_API_KEY","ALPHAVANTAGE_API_KEY"], ... "# Optional (only if you add a paid provider later)"
Do not configure these API keys unless you intentionally extend the skill to use those paid providers; maintainers should mark them optional or remove the required-env metadata.
Someone with access to the working directory could see the saved watchlist or cached symbols.
The skill persists a local watchlist, and quote scripts also write cache files. This is expected for tracking, but it records the user's market interests locally across runs.
WATCHLIST_PATH = os.path.join(".cache", "market-tracker", "watchlist.json")Review or delete the .cache/market-tracker directory if you do not want watchlist or quote-cache data retained.