Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Einstein Research — Market Breadth Analyzer
v0.1.0Quantifies market breadth health using TraderMonty's public CSV data. Generates a 0-100 composite score across 6 components (100 = healthy). No API key requi...
⭐ 0· 58·0 current·0 all-time
byRunByDaVinci@clawdiri-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code files implement the stated 6-component breadth analysis using public CSVs from TraderMonty's GitHub Pages. The requested resources (public URLs) and file I/O are consistent with the described functionality; no unrelated cloud credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md tells the agent to run 'python3 skills/market-breadth/scripts/breadth_analyzer.py', but the bundle contains 'scripts/market_breadth_analyzer.py' (different path and filename). SKILL.md also describes output filenames ('breadth_report_YYYY-MM-DD.*') that differ from the actual script's outputs ('market_breadth_YYYY-MM-DD_HHMMSS.*'). These mismatches could cause a naive agent to fail, run the wrong command, or attempt ad-hoc fixes. Aside from that, the declared runtime actions (fetch public CSVs, compute scores, write JSON/MD reports, maintain a small local history file) stay within the stated purpose and do not request unrelated system data or secrets.
Install Mechanism
No install spec is provided (instruction-only from registry perspective) and the code is included in the bundle. No network downloads of arbitrary archives or external installers are required by the skill itself. This is low install risk. Note: the bundle includes Python scripts that will run if executed.
Credentials
The skill requests no environment variables or credentials, which is appropriate. However, SKILL.md and the header metadata do not list required runtime dependencies (Python version, pip packages). README mentions pandas and requests; the code clearly uses requests and standard csv; pandas may or may not be required by some omitted files (report generator). The missing explicit dependency listing in SKILL.md is an operational gap but not a credential risk.
Persistence & Privilege
always is false and the skill does not request elevated privileges. It writes a small JSON history file (market_breadth_history.json) to the configured output directory — this is proportional to its purpose. Autonomous invocation (disable-model-invocation false) is standard; by itself it is not a red flag here.
What to consider before installing
This skill appears to implement the advertised market-breadth analysis and fetches only public CSVs, but the runtime documentation is inconsistent with the contained code. Before installing or running:
- Verify the correct entrypoint: run scripts/market_breadth_analyzer.py (or inspect the bundle) rather than the path in SKILL.md, which appears incorrect. Do not run unknown commands suggested by a mismatched README without checking.
- Ensure Python 3.8+ and required packages (requests at minimum; README mentions pandas) are installed in a controlled environment (e.g., virtualenv) before executing.
- Review any omitted files (report_generator, scorer) for additional dependencies or network calls; the truncated manifest indicates there are more files not shown in the prompt.
- Note the skill writes a small history JSON file to the output directory — pick an output directory you control (not system dirs) to avoid accidental overwrites.
These issues likely stem from documentation drift rather than malicious intent, but confirm the entrypoint and dependencies locally before running to avoid unexpected behavior.Like a lobster shell, security has layers — review code before you run it.
latestvk97a929mamh0rz235tvtmfx83x83d9hw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.