ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Investment Research

v0.2.1

提供公司或行业的全面投研分析,涵盖财务、行业格局、估值、技术面及风险催化,助力专业投资决策。

0· 198·2 current·2 all-time
byCaiJichang@caijichang212
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (structured investment research) aligns with the documented behavior: it instructs the agent to fetch financial data, analyze fundamentals/industry/valuation/technicals, and produce a report. However, there is an internal inconsistency: the top-level registry metadata shown to the evaluator lists no required env vars, while _meta.json and CONFIG.md explicitly reference QVERIS_API_KEY and TAVILY_API_KEY. Version/homepage fields also mismatch (registry shows version 0.2.1 and no homepage, while SKILL.md/README/_meta show 0.3.0 and a GitHub homepage). These mismatches reduce confidence in packaging quality.
Instruction Scope
SKILL.md is explicit and stays within the investment-research scope: it instructs using qveris-official and tavily-search to fetch public financial data, to cite sources and dates, to cross-validate at least two sources, and to separate facts/assumptions/judgements. It does not instruct reading unrelated local files or exfiltrating arbitrary system data.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, minimizing on-disk execution risk. It does recommend configuring OpenClaw tools (qveris-official, tavily-search) in the platform config, which is normal for data-source integrations.
Credentials
Requiring API keys for financial data providers (QVERIS_API_KEY, TAVILY_API_KEY) is proportional to the skill's function. The problem is that the top-level 'Requirements' reported to the evaluator showed none, while _meta.json and CONFIG.md require these env vars—this inconsistency should be resolved before trusting the skill. Confirm which credentials are actually required and limit their scopes; do not provide broader secrets than necessary.
Persistence & Privilege
The skill does not request elevated platform privileges and 'always' is false. It asks the operator to enable/configure external tools in the OpenClaw config (tool-level config), which is expected. There is no evidence it modifies other skills or system-wide settings beyond its own recommended tool entries.
Scan Findings in Context
[NO_SCAN_FINDINGS] expected: The package is instruction-only (no code files), so the regex-based scanner had nothing to analyze. This is expected but means static analysis provides little signal—review the instructions and external tool endpoints manually.
What to consider before installing
What to check before installing or enabling this skill: - Metadata consistency: the package shows conflicting metadata (registry claimed no required env vars and version 0.2.1, but _meta.json/README/SKILL.md reference QVERIS_API_KEY, TAVILY_API_KEY and version 0.3.0 with a GitHub homepage). Ask the skill author or check the listed GitHub repo to confirm the canonical source and correct version. - API keys: the skill expects finance API keys (qveris/tavily). Only provide keys with limited scope and rotate them if you later revoke access. Do not reuse high-privilege or broadly-scoped secrets. - Verify tool endpoints: confirm 'qveris-official' and 'tavily-search' are legitimate trusted services and that the integration in your OpenClaw config points to official endpoints. If unsure, test with a throwaway or low-permission key first. - Least privilege: configure keys with read-only, query-limited scopes where possible and avoid embedding keys in files; follow the skill's own Security Advice (use env vars, .gitignore, rotate keys). - Operational testing: run the skill on a non-sensitive or public ticker first and verify returned source URLs, timestamps, and that the skill cites independent sources as it claims. - If you need higher assurance: request the canonical repository/source and changelog from the owner, or inspect any remote tool connectors your platform will install before granting credentials. Given the functional coherence but packaging/documentation mismatches, proceed only after resolving the metadata inconsistencies and confirming which env vars are actually required.

Like a lobster shell, security has layers — review code before you run it.

latestvk9795dzyn64pptrpg3mw1bhvzx839rjf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments