ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Einstein Research — Macro Regime Detector

v0.1.0

Detect structural macro regime transitions (1-2 year horizon) using cross-asset ratio analysis. Analyze RSP/SPY concentration, yield curve, credit conditions...

0· 61·0 current·0 all-time
byRunByDaVinci@clawdiri-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The code and documentation implement a cross-asset macro-regime detector that matches the name/description: calculators for RSP/SPY, IWM/SPY, HYG/LQD, SPY/TLT, yield curve and sector rotation are present and weighted as described. This capability legitimately needs market data API access (FMP or Yahoo) and Python data libraries.
!
Instruction Scope
SKILL.md instructs the agent to load local reference docs and to execute a Python script that will fetch ~600 days of market data (network calls). The run command in SKILL.md references 'skills/macro-regime-detector/scripts/macro_regime_detector.py' but the repository shows 'scripts/macro_regime_detector.py' (path mismatch). The instructions require an API key (or optional Yahoo fallback) and to read local reference files; they do not ask to read unrelated system files or credentials, but the agent will execute third-party Python code from the skill bundle which can perform arbitrary actions unless sandboxed.
Install Mechanism
There is no install spec (instruction-only from a platform perspective) but the bundle includes ~23 Python files. README mentions installing packages (yfinance, pandas) but these dependencies are not declared in registry metadata or an install step. Running the scripts will require Python packages and will write output files (JSON/MD) to disk; absence of an explicit install step or dependency manifest increases operational risk (agent may fail or execute with missing/older libs).
!
Credentials
SKILL.md and README state an FMP API key is required (FMP_API_KEY env var or --api-key) though the registry metadata lists no required env vars / primary credential — a clear mismatch. Requesting an API key for a market-data service is proportionate to the stated purpose, but the missing declaration in metadata is an integrity issue. No other secrets are requested in code/README, and the code appears focused on fetching market data rather than exfiltrating arbitrary secrets.
Persistence & Privilege
The skill does not request always:true and does not declare system-wide config path changes. It is user-invocable and allows autonomous invocation (platform default) — nothing in the files shows it modifies other skills or requests elevated agent privileges.
What to consider before installing
This skill appears to implement the advertised macro-regime detector, but there are a few inconsistencies you should address before running it: (1) SKILL.md and README require an FMP API key (FMP_API_KEY) but the registry metadata does not declare any required env vars — treat any API key as sensitive and only provide one with least privilege; (2) there is no install spec or dependency manifest even though the code needs Python packages (pandas, yfinance) — run inside an isolated environment (venv/container) and install deps explicitly; (3) SKILL.md references a different script path than the repository contains — confirm the correct run command; (4) because the skill includes executable Python files, review scripts/fmp_client.py and the main macro_regime_detector.py to confirm network calls are only to expected data providers (FMP/Yahoo) and that no unexpected endpoints or credential reads exist; (5) run the code in a sandboxed environment with a throwaway API key or the minimal-permission key first. If you are not comfortable doing these checks, ask the publisher for clarification or request a version with a clear dependency manifest and explicit, matching metadata.

Like a lobster shell, security has layers — review code before you run it.

latestvk974z7ddsc9vyzazp4q7vzcxz583cvrt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments