ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Einstein Research Suite

v1.0.0

A complete quantitative market research toolkit for serious traders and investors. Includes 11 specialized skills covering backtesting, breadth analysis, bub...

0· 71·0 current·0 all-time
byRunByDaVinci@clawdiri-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md and README claim a coherent set of 11 quantitative research tools (backtesting, breadth, options, etc.). However, the repository does not actually contain those sub-skill code files; it only lists them as included and shows clawhub install commands. The README also lists Python dependencies (yfinance, pandas, numpy, scipy) but the pack has no install spec declaring or installing them. This is a provenance / completeness mismatch rather than an immediate functional contradiction.
Instruction Scope
Runtime instructions are limited to describing the pack and showing clawhub install commands for the listed sub-skills. There are no instructions to read arbitrary files, exfiltrate data, or access environment variables. The scope is constrained to installing/using other skills.
Install Mechanism
There is no install spec in the pack itself (instruction-only). That is low-risk, but the README dependency list (Python packages) is not enforced or declared in an install step, which may lead to surprising post-install requirements. Also, because the pack defers to clawhub to fetch sub-skills, the security of those sub-skills depends entirely on their registry entries.
Credentials
The pack declares no required environment variables, credentials, or config paths. That is proportionate to the high-level description. Still, the included sub-skills (which will be installed separately) may request credentials; you should inspect them before granting any secrets.
Persistence & Privilege
The pack is not marked always:true and does not request elevated/persistent privileges in its metadata. Autonomous invocation is allowed (default) but that is normal; nothing in this pack requests additional persistent system access.
What to consider before installing
This pack appears to be a wrapper/pack that points to 11 separate skills rather than containing their code, and it lacks an install spec for the Python libraries the README mentions. Before installing: 1) Verify the origin — there's no homepage and the owner is an opaque ID; check the registry listing and owner reputation. 2) Inspect each included sub-skill's SKILL.md and code (or registry page) to confirm they don't request unrelated credentials or network endpoints. 3) Be prepared to create an isolated environment (VM or container, or Python venv) and review/approve any Python packages (yfinance, pandas, numpy, scipy) before installing. 4) Do not provide brokerage or cloud credentials to the pack itself until you've audited each sub-skill that requests them. If you want higher assurance, install and test the sub-skills first in a sandbox and review any network calls they make.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cg9nexwc4s7ppy9j2tp4a5x83esgq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments