ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Einstein Research — Options Strategy Advisor

v0.1.0

Options trading strategy analysis and simulation tool. Provides theoretical pricing using Black-Scholes model, Greeks calculation, strategy P/L simulation, a...

0· 60·0 current·0 all-time
byRunByDaVinci@clawdiri-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The stated purpose (options pricing, Greeks, strategy simulation) matches the presence of a Black‑Scholes implementation (scripts/black_scholes.py). However the SKILL.md and README reference higher-level analyzer scripts/CLI behavior (options_analyzer.py, options-analyzer CLI) that are not included in the file manifest, which reduces coherence between claimed capabilities and what is actually present.
!
Instruction Scope
SKILL.md instructs the agent to run commands and a main analysis script at paths that do not exist in the package (e.g., 'skills/options-analyzer/scripts/options_analyzer.py' and an 'options-analyzer' CLI). The SKILL.md says historical data is fetched via yfinance if volatility not provided, but the included code uses requests and a Financial Modeling Prep (FMP) API function that accepts an API key—these divergent instructions are contradictory and give the agent ambiguous runtime behavior.
Install Mechanism
There is no install spec: this is instruction‑plus-code only and nothing in the package pulls remote installers or executes downloads during install. That lowers install-time risk.
!
Credentials
The manifest declares no required environment variables, but README explicitly states an 'FMP API key' is required, and the included code defines a fetch_historical_prices_for_hv(symbol, api_key, ...) function that expects an API key and will make network requests. The SKILL.md alternatively mentions yfinance which would not need an API key. This mismatch means the skill may require sensitive credentials (API key) not declared in the registry metadata.
Persistence & Privilege
The skill does not request always:true, does not declare config paths or special privileges, and does not indicate it will modify other skills or system settings. Autonomous invocation is allowed but that is normal platform behavior.
What to consider before installing
Do not install or run this skill yet. Ask the publisher to clarify these points before proceeding: (1) provide the missing main analyzer script or correct the SKILL.md to reference the actual entry point (the repository currently only contains black_scholes.py), (2) confirm the data source for historical volatility (yfinance vs FMP) and whether an FMP API key is required—if so, the registry should declare which env var is expected and why, (3) show full network call destinations used by the code (to verify no unexpected endpoints), and (4) verify that no credentials will be logged or transmitted to third parties. If you proceed to test, do so in a sandboxed environment, inspect all network calls (e.g., with a proxy), and avoid providing real API keys until the above are resolved.

Like a lobster shell, security has layers — review code before you run it.

latestvk97af6p52twpmmxbkbh60zrhfx83d5h7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments