ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Trading Analyzer

v0.0.6

Multi-source trading analyzer (`/drunk-trading-analyzer`) combining crypto data (TradingView), stock data (Alpha Vantage), and market intelligence (Yahoo Finance) into unified analysis reports with price trends, technical indicators, and sentiment analysis.

2· 1.5k·0 current·0 all-time
by@baoduy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md/README describe a trading analysis skill that orchestrates TradingView, Alpha Vantage, and Yahoo Finance via mcporter MCP tools — that purpose is coherent with the listed mcporter calls and examples. However, registry metadata declares no required env vars while the README and SKILL.md clearly instruct the user to provide an ALPHAVANTAGE_API_KEY and to configure MCP servers, which is an omission/inconsistency. MCP server names also differ between files (e.g., tradingview-mcp vs tradingview-m, alphavantage vs alpha-vantage), suggesting sloppy metadata or copy/paste issues.
!
Instruction Scope
Instructions direct the agent/user to install and invoke external tooling (mcporter and MCP server packages) using npx/brew and to edit local config files (config/mcporter.json or ~/.mcporter/mcporter.json) and shell profiles to store API keys. These actions are within the skill's functional purpose but expand scope to fetching and executing third-party packages and modifying local config and shell profile files. The SKILL.md also contains examples that will cause network calls and arbitrary tool execution via mcporter; the skill gives broad discretion to run these external commands.
Install Mechanism
The registry lists no install spec, but the README encourages installing mcporter via npm/pnpm/Homebrew or using npx to run MCP packages (e.g., tradingview-m-mcp@latest, alpha-vantage-mcp@latest). That means executing code fetched from package registries or taps at runtime — a legitimate distribution choice but higher-risk than instruction-only local operations because the invoked packages can run arbitrary code. No direct download-from-untrusted-URL patterns are present, but relying on unverified 'latest' npm packages and an external brew tap increases supply-chain risk.
!
Credentials
Registry metadata declares no required environment variables, yet the README and SKILL.md explicitly instruct the user to set ALPHAVANTAGE_API_KEY (and show how to persist it in shell profiles or mcporter config). This mismatch is a red flag: the skill does need at least one credential for Alpha Vantage, and storing an API key in shell profile or config exposes it to the local environment and any processes that can read that file. There are no other unexplained credential requests, but the metadata/README disparity should be resolved.
Persistence & Privilege
The skill does not request always:true and is not set to force installation. It instructs editing mcporter config files and adding environment variables, which is normal for a tool that orchestrates external services. It does not request to modify other skills or system-wide agent settings beyond configuring mcporter servers and env mappings.
What to consider before installing
This skill appears to do what it claims (combine TradingView, Alpha Vantage, Yahoo data) but has several inconsistencies and supply-chain risks you should consider before installing or running any commands it recommends: - Metadata mismatch: the registry lists no required env vars but the README/SKILL.md require ALPHAVANTAGE_API_KEY. Treat that as a correctness/quality issue — ask the publisher to update metadata. - External code execution: the skill tells you to run mcporter and to call MCP packages via npx or install mcporter via Homebrew. Those commands will download and execute third-party code (npm packages, brew taps). Only run them if you trust the package authors and have inspected the packages or run them in a sandbox. - Protect secrets: if you provide ALPHAVANTAGE_API_KEY, avoid putting high-privilege credentials in global shell profiles or shared config. Use a scoped API key, limited permissions/rate limits if possible, and prefer storing secrets in a secure credential store rather than plaintext files. - Verify package names and sources: SKILL.md/README use inconsistent server/package names (tradingview-mcp vs tradingview-m etc.). Before running npx install commands, verify the exact package names and author/publisher on npm and Homebrew (look up the steipete tap and npm authors). Prefer pinned versions over '@latest'. - If you need higher assurance: ask the skill author for a source repo or homepage, inspect the mcporter and MCP packages manually, run commands in an isolated VM/container, or decline to install. Given the unknown source and the instructions to fetch and execute external packages, treat this skill as suspicious until you can validate the origins and the exact packages it will run.

Like a lobster shell, security has layers — review code before you run it.

latestvk97detxn76w9s8jtfbqgmtw5kn80zhwt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis
OSmacOS · Linux · Windows

Comments