Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Investment Analyzer
v1.0.0Investment analysis for properties and ETFs. BUY/PASS/INVESTIGATE verdicts backed by data. Scans Centris for listings, advises DCA allocation. Triggers: anal...
⭐ 0· 79·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to analyze ETFs, properties and scan Centris and the Python scripts implement those tasks (yfinance for ETFs, requests+BeautifulSoup for Centris). However the registry metadata requires the 'gemini' binary and GEMINI_API_KEY as the primary credential — neither the SKILL.md instructions nor any script reference 'gemini' or GEMINI_API_KEY. Conversely, the scripts depend on Python and libraries (yfinance, beautifulsoup4, requests) which are not declared as required. The declared credential and binary do not match the actual capabilities.
Instruction Scope
SKILL.md instructs the agent to run the included scripts and to read local reference files; that maps to the code. The scripts perform network calls to yfinance and centris.ca (scraping endpoints) and will surface addresses and financial estimates — expected for this purpose. The instructions do not mention installing Python packages or that the scripts will make web requests, which is an omission. No instructions direct data to unknown external endpoints beyond standard market-data sites and Centris.
Install Mechanism
There is no install spec. This is instruction/code-only but the manifest includes Python scripts that require third-party packages (yfinance, beautifulsoup4, requests). The skill also declares a required binary 'gemini' but provides no explanation or install steps. The lack of declared Python dependency installation steps and the unexplained external binary requirement are inconsistent and likely to cause runtime surprises.
Credentials
The skill requires a single primary credential GEMINI_API_KEY, but none of the code or runtime instructions reference or use that credential. No other credentials are requested. Requiring a secret API key that is unrelated to the code's operations is disproportionate and suspicious — it could be a misconfiguration or attempt to collect an unnecessary credential.
Persistence & Privilege
The skill is not flagged 'always' and does not request system-wide changes. It does not ask to persist credentials or modify other skills. Autonomous invocation is allowed (default) but not combined with other high-risk flags.
What to consider before installing
Do not provide your GEMINI_API_KEY to this skill — the code does not use it and the key request is unexplained. Before installing or running: 1) Ask the publisher why 'gemini' and GEMINI_API_KEY are required; remove credential requirement if unnecessary. 2) Verify and install the Python runtime and explicit package dependencies (yfinance, requests, beautifulsoup4) in a controlled environment; the manifest does not declare them. 3) Review the scripts locally — they perform network requests and scrape Centris and fetch market data; expect them to fetch property addresses and public listing details (sensitive PII may be output). 4) Run the code in a sandbox or isolated environment first and inspect network traffic if you are concerned about exfiltration. 5) Prefer a version that removes the unused GEMINI requirement or documents why it is needed. If the origin of this skill is unknown or the author cannot justify the GEMINI requirement, treat it as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk97bbhkb5h4e8nsnew5yq5jk3h83kbaz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📈 Clawdis
Binsgemini
EnvGEMINI_API_KEY
Primary envGEMINI_API_KEY