ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Stock Info Explorer Jarvis

v1.2.11

A Yahoo Finance (yfinance) powered financial analysis tool. Get real-time quotes, generate high-resolution charts with moving averages + indicators (RSI/MACD...

0· 24·0 current·0 all-time
by@bingze00000
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code: the script uses yfinance, pandas, mplfinance/plotille and implements RSI/MACD/Bollinger/VWAP/ATR and chart generation. No unrelated credentials, binaries, or endpoints are requested.
Instruction Scope
SKILL.md instructs running the provided script with specific commands and flags; those commands map to functions present in the visible portion of the script. The instructions do not ask the agent to access unrelated files, env vars, or external endpoints beyond Yahoo Finance.
Install Mechanism
There is no install spec (instruction-only skill with an embedded script). The script lists reasonable Python dependencies in comments (yfinance, pandas, matplotlib, mplfinance, rich, plotille). Lack of an install step is low-risk but means environment must have these Python packages available; nothing in the install mechanism appears malicious.
Credentials
The skill declares no required environment variables, config paths, or primary credential. The visible code does not access credentials or unrelated environment secrets; it only fetches market data via yfinance and writes chart PNGs to /tmp.
Persistence & Privilege
Skill is not always-enabled and does not modify other skills or persistent agent settings. It writes PNG output to /tmp (expected for charting) and prints a CHART_PATH; no elevated privileges are requested.
What to consider before installing
The skill appears coherent with its stated purpose: it fetches data from Yahoo Finance and computes/plots indicators locally, requiring common Python plotting/data libraries. However, the provided scripts/yf.py appears truncated in the package listing (a line ends with 'parser.add_argum' and the file is cut off), so the full runtime behavior cannot be verified. Before installing or running: (1) obtain and inspect the complete yf.py source (or ask the publisher for the full file); (2) run it in an isolated environment (sandbox or container) because it executes arbitrary Python and performs network requests to Yahoo; (3) ensure required Python dependencies are installed from trusted registries; (4) verify there are no hidden uploads or telemetry in the remainder of the script—if you cannot get the full source or a verifiable checksum from a trusted homepage/owner, treat the package as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a8tpz5xa4vj76yxgysdb74n844tmf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments