ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Follow-Through Day (FTD) Detector

v0.1.0

Detects Follow-Through Day (FTD) signals for market bottom confirmation using William O'Neil's methodology. Dual-index tracking (S&P 500 + NASDAQ) with state...

0· 60·0 current·0 all-time
byRunByDaVinci@clawdiri-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (detect Follow-Through Days for SPY/QQQ) matches the code's functionality, but the registry/metadata claims no required environment variables or binaries while the code clearly expects an FMP API key (FMP_API_KEY) and Python HTTP libraries. README and SKILL.md also mention yfinance as an alternative data source, but the main orchestrator (scripts/ftd_detector.py) imports and instantiates an FMPClient that requires a key — the 'use Yahoo Finance' path is not implemented in the shown main script. These mismatches are incoherent with what someone would expect from the declared metadata.
!
Instruction Scope
SKILL.md directs the agent to run a CLI and to 'send a notification to Omer' and 'update DaVinciOS Dashboard' when signals change, but no delivery endpoints, credentials, or implementation details for those notifications are included in the repository. That vagueness grants broad discretion (where/how to send alerts) and could be abused. The instructions otherwise stay within market-analysis scope (fetch prices, run state machine), but they reference sending notifications and dashboard updates without defined targets.
Install Mechanism
There is no install spec (instruction-only registry entry) which reduces installation risk, but the repository contains Python scripts that require packages (requests is imported in fmp_client.py; README lists yfinance and pandas). The metadata does not declare these dependencies or provide a reproducible install. No downloads from external or untrusted URLs are present in the manifest; code uses an external API (financialmodelingprep.com) via HTTPS.
!
Credentials
The registry says 'Required env vars: none', but fmp_client.py will raise if FMP_API_KEY is not provided (it reads FMP_API_KEY from env and errors). That is a direct mismatch: a network-facing API key is required by the code yet not declared. Additionally, README suggests optional FMP API key vs Yahoo, further increasing ambiguity. Secrets/credentials are therefore requested by the code but not surfaced in metadata or SKILL.md, which is disproportionate and unexpected.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or platform configuration, and is user-invocable only. There is no install-time persistent agent privilege requested in the metadata. Running the scripts will make outbound API calls (to FMP) but that is proportional to the declared data-source purpose.
What to consider before installing
This package appears to implement the FTD detector code it claims, but there are clear inconsistencies you should resolve before running it: - Expectation vs reality: The registry/metadata says no environment variables, yet the code requires an FMP API key (FMP_API_KEY) and will raise if it's missing. Decide whether you'll provide an FMP key or update the code to use yfinance (or another declared source). - Undeclared dependencies: fmp_client.py imports requests; README suggests yfinance and pandas. Install and verify Python 3.8+ and the correct Python packages (requests, pandas, yfinance if intended). Prefer running in a virtualenv or container. - Notifications are vague: SKILL.md mentions sending alerts to 'Omer' and updating a 'DaVinciOS Dashboard' but no endpoints/credentials are provided. Ask the author how alerts are delivered (email, Slack, webhook?) and inspect any notification code before allowing it to run with network access. - Network calls: The scripts make outbound HTTPS calls to financialmodelingprep.com. If you provide an API key, treat it as a secret — store it securely and only provide it to code you trust. Review fmp_client.py to confirm it only calls expected endpoints. - Safe testing: Run the scripts in a sandboxed environment (offline or with egress controls) first, inspect generated reports, and confirm no unexpected outbound destinations are used. If you plan to run it on a schedule/cron, add explicit, auditable notification configuration rather than relying on unspecified behavior. If you cannot get clarifications from the publisher, consider the skill suspicious and either (a) run locally in a sandbox with no secret keys, or (b) decline installation until metadata and notification behavior are fixed.

Like a lobster shell, security has layers — review code before you run it.

latestvk971b7mrs86gayfrrp9q8apkqh83d2vr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments