ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

stock-rumors

v1.0.0

Scan M&A, insider, analyst, social, and regulatory rumor signals through AISA. Use when: the user asks about early market signals, rumors, insider activity,...

0· 28·0 current·0 all-time
by@bibaofeng
Security Scan
Capability signals
CryptoCan make purchasesRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (scan rumors via AISA) aligns with the code: the script calls an LLM client against an AISA endpoint to generate rumor reports. Requiring a single API key (AISA_API_KEY) and python3 is proportionate. Minor provenance inconsistency: registry metadata lists owner ID kn77... while _meta.json points to a GitHub repo owner '0xjordansg-yolo' — this mismatch doesn't prove maliciousness but is worth checking.
!
Instruction Scope
SKILL.md instructs only to run the bundled Python script, which is what the code does. However, the script reads environment variables not declared in requires.env (AISA_BASE_URL and AISA_MODEL) and will send prompts to an external API (AISA). The instructions explicitly avoid accessing local secrets, and the code does not read other local files or credentials, so there is no direct local credential access. The undeclared env vars give the skill extra, undocumented flexibility (e.g., redirecting requests to a custom endpoint).
Install Mechanism
There is no install spec (instruction-only), which reduces installer risk. However, the script depends on the 'openai' Python package (not declared in SKILL.md's requires or installed automatically). The script includes a comment listing dependencies but provides no installation steps; running it without installing dependencies will fail. No downloads or obscure URLs are used.
!
Credentials
The declared required env var (AISA_API_KEY) is appropriate for a service integration. But the runtime code also reads AISA_BASE_URL and AISA_MODEL (optional) which are not declared in requires.env. That means the skill can be pointed at a different API endpoint or model via environment variables without that being documented in the manifest — a potential surprise for users who expect only the declared credential to be used.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges. It does not modify other skills or system configuration. Autonomous invocation remains possible (the platform default) but is not combined with additional high privileges here.
What to consider before installing
This skill appears to do what it says (call AISA to scan for rumor signals) but has a few gaps you should address before installing: 1) Only give it an AISA API key if you trust the AISA provider and the skill source; verify the GitHub repo/author in _meta.json and confirm the registry owner. 2) The script can read AISA_BASE_URL and AISA_MODEL environment variables (not documented) — avoid setting those unless you know why; be cautious about redirecting the endpoint. 3) The code requires the Python 'openai' package but the skill provides no install steps; run it in an isolated environment (venv/container) and inspect the code yourself. 4) If you plan to use a real API key, consider testing with a limited/revocable key and monitor network activity. If any of the provenance or undocumented env behaviors are unacceptable, do not install.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binspython3
EnvAISA_API_KEY
Primary envAISA_API_KEY
latestvk97bjqas65pfce42xysy5m9qex850hxk
28downloads
0stars
1versions
Updated 1d ago
v1.0.0
MIT-0
@bibaofeng
latest
Download

Rumor Scanner

When to Use

  • Scan M&A, insider, analyst, social, and regulatory rumor signals through AISA. Use when: the user asks about early market signals, rumors, insider activity, analyst changes, or takeover chatter.

When NOT to Use

  • Do not use this skill for browser-cookie extraction, passwords, Keychain access, or other local sensitive credential access.
  • Prefer a different skill when the user request is outside this skill's domain.

Capabilities

  • Rank rumor-like signals by likely impact across several signal categories.

Quick Start

export AISA_API_KEY="your-key"

Primary Runtime

Use the bundled Python client as the canonical ClawHub runtime path:

python3 scripts/rumor_scanner.py

Example Queries

  • Scan for the strongest takeover or insider signals this week.

Notes

  • Rumors are unconfirmed and should be independently verified.

Comments

Loading comments...