ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Congress Trades Tracker

v1.1.4

Track US congress member and politician stock trades in real-time using the Quiver Quant API. Syncs trades to a local SQLite database, detects new significan...

0· 630·0 current·1 all-time
byArm4x@armax
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (track congressional trades via Quiver Quant) aligns with the included script and instructions. However, the registry metadata lists no required environment variables while SKILL.md and scripts/scraper.py both require QUIVER_API_KEY — a metadata inconsistency that should be corrected.
Instruction Scope
SKILL.md and the script stay within scope: they call only the Quiver API, write a local SQLite DB and alert files under the skill's data directory, and instruct cron/OpenClaw pickup. There are no instructions to read unrelated host files or to send data to third-party endpoints beyond api.quiverquant.com.
Install Mechanism
No install spec or external downloads; the skill is instruction-only with a simple Python script that depends on the standard requests package — low install risk.
Credentials
The script legitimately requires a single API key (QUIVER_API_KEY) and optional local-path env vars (CONGRESS_DB_PATH, MIN_TRADE_AMOUNT). This is proportionate to its function, but the registry metadata failing to list QUIVER_API_KEY is an incoherence to surface.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent configs. It writes only to its own data/logs paths under the skill directory; autonomous model invocation is allowed but is the platform default.
Assessment
This skill appears to do what it says: poll Quiver Quant, store trades locally, and write alert files for OpenClaw pickup. Before installing: 1) Provide a Quiver API key (QUIVER_API_KEY) via environment — the registry metadata omitted this but both SKILL.md and the script require it. 2) Confirm where the skill will be placed so the created data/ and logs/ directories are acceptable and set restrictive permissions (chmod 700 data/). 3) Ensure the agent environment has Python 3.10+ and the requests package. 4) Review cron scheduling and retention (it writes new_trades.json and a sqlite DB) to avoid unbounded growth. 5) Treat the QUIVER_API_KEY as sensitive (don’t hard-code it; store in a secure secrets store). If you need stronger assurance, ask the publisher to correct the registry metadata to declare QUIVER_API_KEY and provide an origin/homepage for trust verification.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ah4ew9a66qc3nr2e28gktd1818tsb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments