ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

stock-watchlist-aisa

v1.0.0

Manage a stock crypto watchlist with target and stop alerts using live AISA price checks. Use when: the user wants to add watchlist items, set targets, track...

0· 56·0 current·0 all-time
by@bibaofeng

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for bibaofeng/stock-watchlist-aisa.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "stock-watchlist-aisa" (bibaofeng/stock-watchlist-aisa) from ClawHub.
Skill page: https://clawhub.ai/bibaofeng/stock-watchlist-aisa
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: AISA_API_KEY
Required binaries: python3
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install stock-watchlist-aisa

ClawHub CLI

Package manager switcher

npx clawhub@latest install stock-watchlist-aisa
Security Scan
Capability signals
CryptoRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the actual behavior: the script manages a local watchlist and fetches live price/signals via the AIsa API. Requiring AISA_API_KEY and python3 is appropriate for that purpose.
!
Instruction Scope
SKILL.md instructs running the provided Python script and storing state locally (./.clawdbot/...), which matches the code. However, the runtime also reads additional environment variables (AISA_BASE_URL, AISA_MODEL, CLAWDBOT_STATE_DIR) that are not declared in the SKILL.md requires list — this is scope creep and could lead to unexpected behavior if those variables are present or set by the environment.
!
Install Mechanism
There is no install spec (instruction-only), but the bundled script imports the 'openai' Python package (commented dependency). The skill does not declare or install this dependency, so the runtime may fail or an operator may install packages manually — a missing install/dependency declaration is a practical/integrity gap.
Credentials
The only declared required credential is AISA_API_KEY, which is appropriate. The code also accepts AISA_BASE_URL and AISA_MODEL (undocumented) and uses CLAWDBOT_STATE_DIR for state location. Allowing AISA_BASE_URL to be overridden can point the API traffic to arbitrary endpoints if an operator sets it, which could be abused but is user-controlled.
Persistence & Privilege
The skill does not request permanent 'always: true' presence and only writes to a repo-local state file under a .clawdbot path (or CLAWDBOT_STATE_DIR). It does not modify other skills or global agent settings.
What to consider before installing
This skill mostly does what it says (local watchlist + live checks via AIsa), but review these before installing: (1) The Python script requires the 'openai' package (commented in the file) but the skill has no install instructions — either install that dependency or the script will fail. (2) Only provide AISA_API_KEY if you trust the upstream AIsa service; the code will send your tickers to that external API. (3) Be aware of three additional environment variables the code will honor if present: AISA_BASE_URL (can redirect API calls), AISA_MODEL, and CLAWDBOT_STATE_DIR (controls where state is written). If you do not want API traffic redirected, do not set AISA_BASE_URL to an unknown host. (4) If you want higher assurance, run the script locally from a safe environment, audit the source (scripts/watchlist.py), and consider installing dependencies in an isolated virtualenv before supplying credentials.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binspython3
EnvAISA_API_KEY
Primary envAISA_API_KEY
latestvk970pvv15xe0tvp8rqhw3dz8dh8539k2
56downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
@bibaofeng
latest
Download

Watchlist Management

When to Use

  • Manage a stock crypto watchlist with target and stop alerts using live AISA price checks. Use when: the user wants to add watchlist items, set targets, track stops, or run alert checks on tickers.

When NOT to Use

  • Do not use this skill for browser-cookie extraction, passwords, Keychain access, or other local sensitive credential access.
  • Prefer a different skill when the user request is outside this skill's domain.

Capabilities

  • Add, remove, list, and check watchlist entries from the command line.
  • Store watchlist state in a repo-local directory by default for safer publishing.

Quick Start

export AISA_API_KEY="your-key"

Primary Runtime

Use the bundled Python client as the canonical ClawHub runtime path:

python3 scripts/watchlist.py

Example Queries

  • Add NVDA to the watchlist with a target and a stop price.

Notes

  • Default state is stored in ./.clawdbot/skills/stock-analysis/watchlist.json unless CLAWDBOT_STATE_DIR is set.

Comments

Loading comments...