ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SnapTrade

v1.0.0

Connect to a user's investment accounts via SnapTrade SDK and generate portfolio reports (e.g., daily total value). Use when the user wants SnapTrade-based brokerage connectivity (Webull, E*TRADE, etc.), connection portal links, account registration, or automated portfolio summaries.

0· 627·1 current·1 all-time
by@brendanwood
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the code and instructions. The scripts use the official SnapTrade Python SDK, implement connection portal generation, account listing, total-value calculation, order placement/monitoring, and reconnect flows — all expected for a SnapTrade portfolio/trading helper.
Instruction Scope
SKILL.md and the scripts stay within scope: they instruct installing the SDK, creating a SnapTrade account, storing client_id/consumer_key/user_secret in a local config, and then call the SDK for listing accounts, holdings, and placing orders. They do not reference unrelated system paths, other services, or unexpected external endpoints.
Install Mechanism
Install is via pip (requirements.txt -> snaptrade-python-sdk==11.0.159). This is proportional to the task but pip installs carry the normal supply-chain risk; the skill has no bundled installers or obscure download URLs.
Credentials
No unrelated environment variables or credentials are requested. The skill expects a local JSON config (client_id, consumer_key) and will store a generated user_secret; this is proportionate to SnapTrade integration. The default config path is inside the user's home .openclaw workspace (overridable via SNAPTRADE_CONFIG), which is reasonable but worth noting.
Persistence & Privilege
Skill is not forced-always, does not modify other skills, and only writes its own config file under the declared path. Agent/autonomous invocation is allowed (platform default) but is not combined with other elevated privileges here.
Assessment
This skill appears to implement exactly what it claims: SnapTrade connectivity, portal link generation, account listing, total-value reports, and placing/watching orders. Before installing or running it: 1) Verify the skill publisher and provenance (registry metadata shows no homepage/source) and audit the included code (you have the scripts locally). 2) Treat client_id/consumer_key and generated user_secret as sensitive — store them with strict permissions and do not commit them to version control. 3) Be aware the skill can place real trades; only run order scripts (buy/sell) if you intentionally permit live trading and understand the account/account-id you’re acting on. 4) When using pip to install the SDK, prefer running in an isolated virtualenv/container and confirm the snaptrade-python-sdk package/version integrity. 5) If you need higher assurance, validate network endpoints used by the SDK and test with a sandbox/demo SnapTrade account first.

Like a lobster shell, security has layers — review code before you run it.

latestvk976s804abhj2q740npj01nqn9813t5v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments